Why would distributing via Google Play be more secure than distributing APKs?

One of the best security practices is keeping your software up to date. With the Google Play Store, you can set your installed apps to update automatically (if this isn't already set by default).

To keep manually downloaded apps up to date, you would have to download their APKs every time their developers publish a new version. To do this, you would probably have to subscribe to a newsletter or RSS feed, and check your email/RSS reader regularly for updates. This might be an acceptable setup for a couple of apps, but this will become troublesome as the number of your apps increases. Not to mention, you'll probably have to check the signatures/checksums of the apps one by one to verify their integrity.


First and foremost, publishing an APK on your website encourages bad security practices on the user's part. In my opinion you should be encouraging the average user to trust only the Google Play Store for the following reasons:

  • Downloading APK's from a website requires the user to confirm the source is secure and legitimate, or test the APK to make sure it's safe. In practice, many users just rely on Google Play Protect to catch malicious apps and risk getting infected with trojans like Googlian or this fake Google Chrome
  • Not using the Google Play store makes it harder to keep apps up to date. If a security bug is found in your code, or a shared library needs a security patch, how are you going to make sure all users know about the update? Side-loaded apps don't update in the Play Store. Providing a notification to the user and especially forcing them to update isn't simple either.
  • Side-loading, or installing apps from sources other than Google Play, requires changing your security settings to enable side-loading. This opens up users to accidentally side-loading malware if they aren't careful, including through other channels like malvertising. In Android Oreo this permission is a little more complex, but you can still open up users to side-loading through malvertising.

Second, your website is presumably less secure than Google's app store. If an attacker compromises your website (or redirects users to their servers by using a MITM or DNS poisoning attack) they could trick users into installing a compromised version of the APK. Posting the hash of the APK or your developer signature won't help here since they could change that part of the website as well (checksums offer very limited security protection, and signatures are mostly for developer authentication and nonrepudiation). Depending on how secure your website is, this may not be a large and realistic threat. Typically, compromised sites instead not-so-subtly encourage downloading generic malware apps under the guise of Adobe flash, a browser update, etc (like this example).

Third, your website could be phished or spoofed. Hackers have been known to make banking websites that look legitimate, post links to them or SEO-optimize them, and plant fake banking apps with malware on the spoofed site (source) . This goes along with my earlier point that you should be encouraging your average user to trust only the Google Play store.

Note: I intentionally focused on the security issues at play here, rather than the significant usability and convenience issues.

Edit: this answer is no longer correct thanks to the replacement of Google Bouncer with Android Play Protect


When you use Google Play to distribute your app, you declare that you comply with Google's Content Policy, which means that the app is safer for the end users in many ways, including some security restrictions. The end users know that Google screens all apps that are uploaded to the Play Store, and methodically removes ones that don't follow the rules, or simply misbehave.

On Play Store, the users can reliably check the permissions your app is going to request, and see other user's complaints, not filtered by your PR.

To use your independent distribution channel, they must reach the "enable Unknown sources" toggle which is placed in "Security Settings" section. It is dangerous to leave this toggle enabled, because some malware uses this channel of distribution, too.

The App Security Improvement Program can help an indie developer, too, to avoid some risks, e.g. it will warn the dev if some deprecated library or unsafe implementation is detected.

It is important to understand, though, that using Play Store does not make your app less vulnerable for piracy, it still can be stolen, reverse engineered, and even uploaded to the same Play Store by a malicious party under a different name.

UPDATE: here are some security restrictions imposed by Google Play developer policies:

The following are explicitly prohibited:

  • Viruses, trojan horses, malware, spyware or any other malicious software.
  • Apps that link to or facilitate the distribution or installation of malicious software.
  • Apps or SDKs that download executable code, such as dex files or native code, from a source other than Google Play.
  • Apps that introduce or exploit security vulnerabilities.
  • Apps that steal a user’s authentication information (such as usernames or passwords) or that mimic other apps or websites to trick users into disclosing personal or authentication information.
  • Apps that install other apps on a device without the user’s prior consent.
  • Apps designed to secretly collect device usage, such as commercial spyware apps.