IBM Security MaaS360

 View Only

APK's vs. Private Apps on Google Play

By Eamonn O'Mahony posted Wed October 20, 2021 12:55 PM

  

Hi all

This is a follow-up to my blog published in September, about changes in app deployment (see link at bottom of page). In it, I described how Android app deployment is changing, and how using APK files poses some security risk but is also no longer the recommended option for deployment to devices. 
You're probably familiar with the term Android Enterprise at this stage, and if not I highly recommend you go to our Security Learning Academy to review the content there (there's a lot!). Please remember that a lot of this content consists of short videos and recordings which only take a few minutes of your time. 

Moving to a new way of working
As we discussed last time, Google are recommending a change to the way that apps are distributed. If you use more than just public Google Play Store apps in your MaaS360 Apps, you may need to read this blog.
Up to now, our customers used APK files and uploaded these to the MaaS360 App Catalog, distributing them as Enterprise apps for Android. Confusing? Just remember we've been using the term enterprise since before Android for Work was renamed in 2016. We got there first! :)
On the last blog I discussed the security implications of opening up the possibility of installing non-Play Store apps, which of course you could not lock down to specific apps, meaning that unwanted APK's with malware and so on could also get installed. 
Google, have developed Google Play Protect 1, helping to protect your Android devices, so that apps uploaded to the Play Store are scanned, and so are apps on your devices, when installed, as the Play Store app on the Android device is also performing a scan for harmful things like malware. Your Android devices are now protected, a lot better than they used to be in the past.  2, 3
OK so you understand Google Play Protect, but what about your apps?

Adding apps in the MaaS360 admin console

  • As you know already, you can add an existing Google Play app to your MaaS360 App console. When you set up the Android Enterprise integration, and your Play Store is managed, you now have control over which store apps users should see in their work profile. This app can now be distributed to devices.
  • In addition, you can use another option Private App for Android Enterprise. This is where you upload the APK into the MaaS360 console, and it gets synched with your managed Play Store instance.
  • Is this app now going to be visible to everyone including people outside your organisation? Answer: NO!
  • Because you’re using the Private app option, it won’t be visible to anyone that does not have their Android device enrolled to your instance of Android Enterprise, and your instance of MaaS360. Let me prove it to you.


Verifying that APK’s uploaded via MaaS360 as Private apps are not Publicly visible

Because you have set up a managed Android Enterprise, meaning you have your own instance of Google Play, this has a unique identifier on the Google platform. Here’s how to verify it:

  • Open https://play.google.com/work on your browser
  • Log in with the same Google account that you used to set up Android Enterprise
  • On the left, click on “Admin Settings”
  • Now you see your Organisation information – organisation name and Organisation ID.
  • This Organisation ID is the unique identifier for your instance of the Play Store.
  • For devices enrolled into your instance of MaaS360, they will connect to your instance of Android Enterprise (managed Play Store) and receive the apps you have selected and distributed.
  • As a test you can do this with a sample APK file, upload it as above, and wait for MaaS360 and Google Play to synch (may take some time).
  • Now, add the app to your App Catalog, distribute to a device and test that the user can see it in the Play Store app on their device.
  • Also do a test for a device outside of the work profile, or for a non-enrolled device.
  • The app won’t be visible on the 2nd

For full steps on adding a Private app, please see document link no. 4 below.

Google Play console / Admin settings
Play Store / Organisational ID

 

Your APK apps uploaded through MaaS360 console don’t appear to non-enrolled users

That’s right!  If you have a device which isn’t enrolled to your instance of MaaS360, and they type in the name of a private app you have uploaded, they won’t be able to find it. For a good reason – it’s only available to the Organisation ID on Google Play as described above.

 
Advantages of using Private Apps on Google Play instead of APK’s

  • You can switch off the setting to Allow Non-Google Play apps, better protecting your devices.
  • Modern app management provided by Google, which along with Android Enterprise is the only way that Google want you to use to manage your devices and apps.
  • Apps can be uploaded to MaaS360 App Catalog – do it from the portal directly!
  • Private apps are not visible to non-MaaS360 enrolled users
  • There are ways of doing versioning and using version control. We will cover this in our next blog.

 Summary of 3 types of apps for Android

App type > 1. Google Play (public) 2. Enterprise app for Android (APK) 3. Private app on Google Play
Requires .APK file No - already uploaded to Google Play, just add to your MaaS360 App Catalog Yes - add to your MaaS360 App Catalog directly Yes - initial upload of the APK file to the MaaS360 App Catalog is required, this then synchs to the Play Store. 
Requires policy setting "Allow install of Non-Google Play apps" No Yes No
Can be added to/through MaaS360 App Catalog Yes Yes Yes
Installed on device via Play Store app MaaS360 App Catalog Play Store app
Restricted to your users only No (public app available to all) Yes - APK only available on your MaaS360 App Catalog Yes - only available to users enrolled into your instance of MaaS360
Installs for devices enrolled in Device Administrator mode No - user has to accept install prompt. Plus, updates are depending on whether user has enabled them in Play Store app.  Automatic/silent for Samsung SAFE/KNOX devices only.
For all other device types, user must accept prompt. 
No - user has to accept install prompt. Plus, updates are depending on whether user has enabled them in Play Store app. 
Installs for devices enrolled in Profile Owner mode Automatic /silent (installed without needing user acceptance) User must accept prompt (not silent install) Automatic /silent (installed without needing user acceptance)
Installs for devices enrolled in Device Owner mode Automatic /silent (installed without needing user acceptance) Installed silently (without user prompt) Automatic /silent (installed without needing user acceptance)


*Remember to check the boxes for "Install Automatically" and "Update Automatically" where these appear. Note that these only take effect for new distributions, not for devices to which you have already distributed the app. 

Finally, the documentation below is intended to give you further information, and the document linked in point 5 is a very simple and well-written explanation of the new world of Private Apps on Google Play.

Recent blog: App deployment for Android: the times are a-changin'

Documentation
1. Google: Security measures in Google Play Protect
https://support.google.com/googleplay/answer/2812853?hl=en
2. IBM article on mobile security (SecurityIntelligence.com)
https://securityintelligence.com/preparing-for-the-unpredictable-security-in-a-new-world-of-mobile-malware/ 
3. Kaspersky Security Bulletin, 2020-21
https://securelist.com/kaspersky-security-bulletin-2020-2021-eu-statistics/102335 

4. Documentation on adding a Private App

https://www.ibm.com/docs/en/maas360?topic=catalog-adding-private-app-android-enterprise
5. Deploy private Android Apps on Google Play
https://www.techrepublic.com/blog/google-in-the-enterprise/deploy-private-android-apps-on-google-play/ 

0 comments
34 views

Permalink