For security reasons, until now apps installed from third-party sources cannot be updated automatically over-the-air, as Google does not recognize them as Play Store apps and they do not show up in your Google account app list as well.
Late last year, Google announced its plan to set up an automated mechanism to verify the authenticity of an app by adding a small amount of security metadata on top of each Android application package (in the APK Signing Block) distributed by its Play Store.
This metadata is like a digital signature that would help your Android device to verify if the origin of an app you have installed from a third-party source is a Play Store app and have not been tempered, for example, a virus is not attached to it.
From early 2018, Google has already started implementing this mechanism, which doesn't require any action from Android users or app developers, helping the company to keep its smartphone users secure by adding those peer-to-peer shared apps to a user's Play Store Library in order to push regular updates.
Additionally, Google yesterday announced a new enhancement to its plan by adding offline support for metadata verification that would allow your Android OS to determine the authenticity of "apps obtained through Play-approved distribution channels" while the device is offline.
"One of the reasons we're doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity," said James Bender, Product Manager at Google Play. "This will give people more confidence when using Play-approved peer-to-peer sharing apps."It should be noted that this feature doesn't protect you from the threat of installing apps from third-party sources; instead, it merely helps you receive latest updates for apps if their origin is Google Play Store.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
Last year, as part of its mission, to secure Android ecosystem, Google also added built-in behavior-based malware protection for Android devices, called Google Play Protect, which uses machine learning and app usage analysis to weed out the dangerous and malicious apps.
Google Play Protect not only scans apps installed from official Play Store but also monitors apps that have been installed from third-party sources.
Moreover, Play Protect now also support offline scanning, which suggests that it will take care of newly introduced metadata verification as well.
Although Play Store itself is not completely immune to malware, users are still advised to download apps, especially published by reputable developers, from the official app store to minimize the risk of getting their devices compromised.