Learn how Google lets apps check for risky software

Every app developer is responsible for protecting their own users, but they have little control over what other software a user installs on their device — and for good reason. Users should be able to install any apps they want on their personal devices (including via sideloading), but some of those apps can be malicious and do things like silently record your screen. That’s why Google is giving developers a new tool that forces users to close potentially risky apps before they can steal any data.

The new tool — called App Access Risk — is being shipped as part of the Google Play Integrity API. It’s a system that helps developers “check that server interactions and requests originate from (their) original app binary running on the original Android device.” It analyzes the app calling the API, as well as the operating system itself, to look for signs of tampering. Apps calling the API receive an integrity verdict that tells them whether the app binary and the software environment it’s running in are “original,” meaning they match the versions known to Google.

Using the new App Access Risk feature, developers can determine if there are other apps running on the device that could potentially be risky. These include apps that can capture the screen and apps that can control the device. Malware often abuses Android’s APIs for screen recording and accessibility control, so developers should be on the lookout for active apps that have these permissions.

The way app access risk works is pretty simple. When developers call the Play Integrity API, they get an integrity verdict that tells them if there are any potential issues. If environmentDetails.appAccessRiskVerdict.appsDetected field in integrity verdict returns “UNKNOWN_CAPTURING“UNKNOWN_CONTROLLING“KNOWN_CAPTURING,” Or “KNOWN_CONTROLLING”, this means that Google Play Protect has detected running apps that can capture your screen or control your device.

Developers can then display one of two repair dialogs to prompt the user to close these applications. CLOSE_UNKNOWN_ACCESS_RISK dialog should appear if the developer wants the user to close apps unknown to Google — those that were not installed from the Play Store. CLOSE_ALL_ACCESS_RISK dialog should be displayed if the developer wants the user to close all apps that can capture the screen or control the device, even if those apps were installed from Google Play.

The only exceptions are true accessibility apps that are known to Google, i.e. apps on Google Play that formally declare that they are accessibility tools, which is only allowed for apps that go through an extensive approval process. True accessibility apps are excluded from the “KNOWN_CONTROLLING” so that users who use them will not have to disable them to use other applications.

For privacy reasons, developers who use the app risk feature are not given any user or device identifiers or any information about the apps that triggered a positive verdict. In other words, they are only informed that some apps may be risky, but not which ones.

Google announced the App Access Risk feature at I/O earlier this year. It’s been in public beta since then, and companies like NEWBANK, Revolut, Mercado Libre, and PhonePe are already using it. The image I shared above is from an open-source app created by developer linuxct to demonstrate the new functionality. Developers interested in the App Access Risk feature should check out the linuxct demo app and Google’s documentation to learn more about how to implement it.