The author of an app wants their app only distribute through Play Store so they only offer it there. In addition they add a check that verifies that the app was indeed acquired through Play Store or else refuses to run. Am I missing something? What is the issue? Do we want to tell people how they have to distribute their apps? Nobody forced them to do this verification.
The issue is that it's often not a conscious choice by the author. A lot of dubious features get bundled under 'play integrity', and since people tend to like words like security or integrity, they will just select that box (or it may even become the default). This creates a lock in for play services, google certification, etc., and locks out users of alternate operating systems and alternate stores.
I am not an [Android] app developer, so I know nothing about the details, but the subheading does not make it sound like this is something you can activate by accident, quite to the contrary, it sounds like a privilege if you are able to make use of this.
"Select Play Partners" can block unofficial installation of their apps.
I would however agree, if this gets bundled together with other features and you get forced to enable this if you want to make use of the other stuff in the bundle, that seems more problematic. Even then you could argue that it is up to Google to decide what kind of features they want to offer and bundle together, but given the market dominance I would be more open to the point of view that they should not be allowed to do whatever they want.
Play integrity is a basket of features with different levels. App developers can choose how much they want to enforce. So typically, you'll see banks and media companies crank that to the max. Occasionally, you'll also see random apps (like a fast food app) crank that up for no reason. The play integrity stuff is also a lot of a theatre. It doesn't necessarily ensure security, because Android in the wild is wildly insecure with EOL devices that never get an update after they are sold, but it's a way to make the suits happy. They take comfort in the fact that google says it's secure.
Notably, google is the only entity who can bless it with this badge.
But even if people unintentionally activate this, should this be a reason to prohibit Google from offering this? Can you not tell the app developers and they can decide to deactivate it if they want and care to so? I think I would really have to see how you enable or disable this and what other implications this has in order to judge if it seems appropriate.
EDIT: I did a quick search and to me it looks like you have to make an API call and then look at the response and decide what to do. Is there some ready-made component that you can use without getting to see the details? Otherwise it seems that you have to check appLicensingVerdict and decide to refuse to run if this comes back as
UNLICENSED and I do not see how you could do this by accident. Then again, that does not sound like selected partners, that sounds like everyone can do this, so maybe I was looking at the wrong thing.
It's not so much about intentional v/s unintentional. Rather, it's about these proprietary features becoming the de facto standard on an open operating system. The decision will not be in the hands of the developer; rather it'll come top down where the management will say that we check for integrity. After all, who doesn't like some tegridy?
I'm with you. I fundamentally don't see the problem. I actually think it's great.
My understanding was that Android apps were quite unsecure and could be pirated and distributed by another "developer" in an app store in a different country without the original developer ever knowing.
F-Droid style delivery is far more secure than anything from Apple or Google. This is only possible on Android since Apple only allows you to install mysterious binary files from their myaterious store on their mysterious OS. FDroid attests the source code directly by building the app it distributes instead of relying on trusting the developer to upload a black box binary. https://f-droid.org/docs/Security_Model/
On the surface it sounds like an ok idea but IMO it's giving (even more) too much power to the play store to control what apps you can and can't install on your own device.
The original developer makes the decision, and they have to actively choose it when it makes sense for their app. Only pirated apps are affected.
Some software should be free. Software that is nonfree has its place as well and should be allowed to have restrictions so the developers can protect their hard work, get paid, feed their families, etc. I really am looking at this from the indie developer's perspective.
