The Advanced Protection Program offers Google’s strongest security measures to lock down accounts from targeted attacks. It’s now coming to Android — as we previously spotted — with restrictions on sideloading apps and ensuring Play Protect is always enabled.
While security keys protect against phishing, Advanced Protection on Android is targeting malware. This focus is similar to risky download protections for Chrome and additional attachment scanning in Gmail.
The operating system today guards against malware by having Google Play Protect scan apps on a device. With APP, Play Protect is automatically turned on — if it isn’t already — and Google “will require that it remain[s] enabled.”
The second tentpole is limiting apps from outside the Play Store, as Google cannot provide the same level of pre-release testing. Advanced Protection will block on-device sideloading where you download an app online and tap on the APK to immediately install.
Google is offering some workarounds, including permitting installation through ADB using a PC, while app stores pre-installed by device manufacturers — like Samsung — will continue to work. Additionally, apps you’ve already installed from non-Play sources won’t be removed and continue to receive updates. G Suite users will not be getting these protections “for now,” given equivalent measures available to administrators.
To date, Advanced Protection has enforced restrictions directly on your Google Account. For example, third-party applications aren’t able to access Gmail messages or Drive files, thus requiring you to use the official clients.
The situation differs on Android where multiple accounts can be signed in to the same phone. As a result, if one Google Account has APP enabled, measures will be applied device-wide. Affected users can either remove that account or unenroll from the program.
Google will start gradually rolling out Advanced Protection to Android today.
FTC: We use income earning auto affiliate links. More.