Android's open ecosystem is both its strength and its security challenge. Applications can be distributed through Google Play, alternative stores, direct APK downloads, and enterprise MDM systems. Each distribution channel has different trust properties, and the verification mechanisms available to security teams are often underutilized.
Google Play Protect provides automated malware scanning, but it is not a supply chain verification system. It checks whether an app behaves maliciously, not whether the app was built by who you think built it, from the source code you expect, using uncompromised dependencies.
APK Signing Verification
How APK Signing Works
Every Android APK must be signed before it can be installed. The signature proves that the APK was produced by someone who holds the signing key. Android uses this signature to verify that updates come from the same developer as the original installation.
Android supports three signing schemes:
v1 (JAR signing): The original scheme, which signs individual files within the APK. It has known weaknesses, including the ability to modify the APK without invalidating the signature in certain cases.
v2 (APK Signature Scheme): Introduced in Android 7.0, v2 signs the entire APK file as a blob, preventing any modification without invalidating the signature.
v3 (APK Signature Scheme): Extends v2 with key rotation support, allowing developers to change their signing key without breaking the update chain.
Verifying Signatures
Use the apksigner tool from Android SDK Build Tools to verify APK signatures:
apksigner verify --verbose --print-certs application.apk
This shows which signing schemes were used, the certificate chain, and whether the signature is valid. For enterprise app vetting, verify that the signing certificate matches the expected developer's certificate.
Certificate Pinning in MDM
Enterprise MDM solutions can enforce certificate pinning for managed applications. Only APKs signed with specific certificates are allowed to install. This prevents installation of applications signed by unknown or unauthorized developers.
Build Reproducibility
APK signing tells you who signed the package. It does not tell you what source code was used to build it. Build reproducibility verification bridges this gap.
Reproducible Builds for Android
A reproducible build produces the same binary output from the same source input, regardless of when or where the build runs. If you can reproduce an APK from its source code and get the same binary, you have strong evidence that the APK contains what the source code describes.
Android builds are notoriously difficult to make reproducible due to timestamps embedded in resources, non-deterministic compilation, and build environment variations. However, progress has been made with tools like the Reproducible Builds project and build systems like Bazel that support deterministic outputs.
Comparing APK Contents
Even without full reproducibility, you can compare APK contents against expectations. Extract the APK, examine the DEX files, native libraries, and resources. Verify that no unexpected files are present and that the included libraries match your dependency manifests.
Dependency Auditing
Third-Party Library Inventory
Android applications typically include dozens of third-party libraries. Each library is a supply chain dependency. Create an inventory of all libraries included in your APK:
Use the Android Gradle plugin's dependency report to list all transitive dependencies:
./gradlew app:dependencies --configuration releaseRuntimeClasspath
Vulnerability Scanning
Scan your dependencies against known vulnerability databases. Tools like OWASP Dependency-Check and commercial SCA tools support Android Gradle projects.
License Compliance
Some open-source licenses have requirements that are relevant to security. GPL-licensed code in a proprietary application can create legal risks. AGPL-licensed code requires source disclosure for network services. Track license obligations alongside vulnerability scanning.
SDK Security Assessment
Third-party SDKs (analytics, advertising, crash reporting) often request broad permissions and communicate with external servers. Assess each SDK for data collection practices and the security of its communication channels.
Review SDKs for excessive permission requests, clear-text network communication, inclusion of known-vulnerable libraries, and data collection beyond what is needed for the SDK's stated purpose.
Distribution Channel Security
Google Play App Signing
Google Play App Signing stores your app's signing key on Google's infrastructure. Google signs the APK on your behalf when distributing through the Play Store. This protects against signing key theft from your build infrastructure but requires trusting Google with your signing key.
For enterprise applications, evaluate whether the convenience of Google-managed signing outweighs the loss of direct key control.
Enterprise Distribution
Applications distributed through enterprise MDM bypass the Play Store entirely. The security of this distribution channel depends on the security of your MDM infrastructure and the integrity of your build pipeline.
Sign enterprise APKs with a dedicated signing key stored in a hardware security module (HSM). Verify signatures on the MDM server before distributing to devices.
Alternative Stores
Applications distributed through alternative stores (F-Droid, Amazon Appstore, Samsung Galaxy Store) go through different review processes. F-Droid builds applications from source, providing supply chain transparency. Other stores have their own review processes with varying rigor.
Monitoring Deployed Applications
Runtime Integrity Verification
SafetyNet Attestation (now Play Integrity API) can verify that an application is running on a genuine, unmodified Android device. This detects rooting, custom ROMs, and certain types of runtime tampering.
Detect Repackaging
Monitor for repackaged versions of your application distributed outside your authorized channels. Repackaged apps may include added malware, removed security controls, or modified behavior.
Monitor for Clones
Watch for applications on the Play Store and alternative stores that impersonate your application. Clone apps with similar names, icons, and descriptions can trick users into installing malicious software.
How Safeguard.sh Helps
Safeguard.sh provides comprehensive supply chain analysis for Android applications. It generates SBOMs that inventory every dependency in your APK, identifies vulnerable libraries and SDKs, and monitors for changes in dependency provenance across builds. When a third-party library used in your Android apps has a security issue, Safeguard.sh identifies every application and build that includes the affected component.