Skip to main content

Android Instant Apps Sounds Dangerous

It's useful. It's revolutionary. But is it also dangerous?

Google today (May 18) unveiled a new feature called Android Instant Apps, which delivers the functionality of an Android app to a mobile Chrome browser. You can click on a web link, and Chrome will download and run part or all of a stand-alone Android app, without the app actually installing on the device.

Credit: radFX/Shutterstock

(Image credit: radFX/Shutterstock)

In this way, Google executives said at the company's annual I/O developers' conference, Android users will soon be able use apps without actually installing them. But as you might imagine, Instant Apps instantly raised some security concerns.

MORE: Best Android Security Apps

"Oh, good," tweeted game designer Ron Gilbert. "Now Android Apps can install malware instantly — no need to actually install the app!"

"Android Instant Apps sounds like rly awesome UX [user experience]," tweeted developer Hayden Schiff, "but installing code w/o user permission does not sit well with me."

Google representatives told TechCrunch that Instant Apps will run in a sandbox, as all Android apps do. Presumably, the links will point back to the Google Play Store, and run only Google-approved code.

"If it's sandboxed well and has to go through Play Store and more rigorous security checks, should be okay?" responded programmer Andy Lawton to Schiff's skeptical tweet. "Opt-out-able too I hope."

However, hundreds of malicious apps have made it past the Google Play Store's Bouncer feature, and more pop up every few weeks. What's to stop a criminal or spy from embedded an Android Instant Apps link that points to malicious code? What's to stop that link to point to a server outside of the Google Play Store?

The Android Instant Apps FAQ page Google set up doesn't answer any of these questions, but there's a sign-up link on another page for "early access to the Instant Apps documentations" when it's ready.

Android Instant Apps will be accessible by devices running versions of Android dating all the way back to 4.1 Jelly Bean — the kind of device that probably will never be patched by handset makers or vendors. (Sorry, iPhone users, you're not getting this yet.)

The feature will be rolled out in the fall of 2016. We can't wait.