Play wants to update apps installed from Obtanium

Elgoog

In my owner profile, which runs Play Services and is used only for installing apps and pushing the to other profiles, I have installed VLC from Obtanium. Why does Play offer to update VLC? How do I prevent it?

schklom

Elgoog In "Manage apps and device", click on "Updates available", then an app, then the 3 dots on the top-right of the screen, then disable "Enable auto-update".

The app will still show will not be automatically updated, and "Update all" will ask if you want to update that app.

Play Protect does not change this behaviour sadly, it simply sends the APKs to Google to check for malicious stuff. I disable it, but your issue is unrelated to it.

harp

Apps installed from the developer's website or Github repo or similar can have the same signatures as the Play Store version. (F-Droid versions always have different signatures because they are built by F-Droid from sources, not by the developer.)

In Google Play Store there's an option to allow Play Protect to detect all apps on the phone, not only the ones installed through play store. AFAIK that option is enabled by default. If that's allowed Play Store offers updates for these detected apps if available (and they have the same signatures as written before).

Maybe you could prevent updating these apps by just disabling the option afterwards.

To prevent app detection through Play Store from the beginning, you should disable this option immediately after logging in into your Google account on the phone. And best way would be not to have installed any other apps from other sources before disabling that option.

harp

schklom Play Protect does not change this behaviour sadly, it simply sends the APKs to Google to check for malicious stuff. I disable it, but your issue is unrelated to it.

Maybe right, if Play Protect already checked these Apps. But I can confirm: I have apps installed from other sources while Play Protect for all apps not installed by Play Store was disabled, they weren't shown in the installed apps list within Play Store. But after enabling this option, these apps (when they were available in Play Store) were shown and then also updates offered. And yes, disabling this option won't let these apps disappear from the list. (But I did not know if updates would be still offered.)

But creating a fresh Google account and disabling the option immediately while first Login (maybe while network connection was turned off - can't remember anymore if this worked in Play Store app) helped preventing to detect these apps by Play Store.

fph

Maybe not the answer that you were looking for, but note that updating the app via the Play Store is safe. The app is signed with the developer's key, and Google cannot tamper with it nor change the key while updating it.

de0u

fph Updating the app via the Play Store is safe. The app is signed with the developer's key, and Google cannot tamper with it nor change the key while updating it.

I believe that was true but is less and less true over time: https://support.google.com/googleplay/android-developer/answer/9842756

Elgoog

fph Thank you, that is reassuring, thoughI still prefer to minimize the extent to which Google keeps track of which apps I've installed.

For, say, a banking app, where security is paramount, I install it from Play as the bank suggests and accept the compromise on privacy. But for less critical apps like VLC, I would prefer that Google not know I've installed it in the first place.

DeletedUser495

Elgoog I am afraid that is not how it works. Play services can query all packages, whether they were installed by it or not and you can do nothing about that. The same goes for Aurora, although you can add apps to exceptions that you don't want updated by it, i. e. apps installed from another source but available on Google Play.

The simplest way is don't use neither of those.