This week Google announced Android Instant Apps at Google I/O 2016. Instant Apps allow developers to break their app into parts that people can use without having to install the complete app on their device. The feature sounds useful, but certainly raises questions about Android Instant Apps security.
A use case for Instant Apps offered by Google involves a friend sending you a link to a recipe in a cooking app. Clicking the link will bring up the recipe directly in the app on your device, but without you having to wait to install the app. Your device only downloads the code it needs to serve that particular piece of content. The size of these modules will likely vary, based on how much of the app’s functionality is required to complete the relevant task.
How will permissions for Instant Apps be managed?
How will users know what instant mobile apps to trust?
Another aspect of Instant Apps that concerns me is the blurring of a line of understanding that was already tenuous for many users, making things less transparent. With the Internet, you look at the URL to see where you’re going and look for a URL, and HTTPS. If someone deep links into an Instant App, how do I judge that app’s authenticity and that it’s provided by the company it claims to be? How do I know if it uses TLS to secure communications? With Instant Apps, you click what looks like a hyperlink but rather than a web page in a familiar browser, you get an unfamiliar app interface that you did not install. Within that interface an attacker may be capable of all kinds of spoofing, all without the many browser protections we’ve spent years building. With apps, the user must trust the app and the platform, and the platforms are not patching security vulnerabilities fast enough. The devices that will support the Instant Apps feature will also affect the security implications. Android devices vary, obviously, and so too do their policy enforcement mechanisms. The enforcement capabilities available to the device executing an Instant App will determine whether the app is effectively isolated and granted only the minimum permissions needed to function. We’ll have to wait for more technical details from Google about the security protections they plan to implement. The convenience of Instant Apps is appealing, but attackers will view it as a shiny new attack vector, and for me the security jury is still out.