Android Instant Apps Sounds Dangerous

It's useful. It's revolutionary. But is it also dangerous?

Google today (May 18) unveiled a new feature called Android Instant Apps, which delivers the functionality of an Android app to a mobile Chrome browser. You can click on a web link, and Chrome will download and run part or all of a stand-alone Android app, without the app actually installing on the device.

Credit: radFX/Shutterstock

(Image credit: radFX/Shutterstock)

In this way, Google executives said at the company's annual I/O developers' conference, Android users will soon be able use apps without actually installing them. But as you might imagine, Instant Apps instantly raised some security concerns.

MORE: Best Android Security Apps

"Oh, good," tweeted game designer Ron Gilbert. "Now Android Apps can install malware instantly — no need to actually install the app!"

"Android Instant Apps sounds like rly awesome UX [user experience]," tweeted developer Hayden Schiff, "but installing code w/o user permission does not sit well with me."

Google representatives told TechCrunch that Instant Apps will run in a sandbox, as all Android apps do. Presumably, the links will point back to the Google Play Store, and run only Google-approved code.

"If it's sandboxed well and has to go through Play Store and more rigorous security checks, should be okay?" responded programmer Andy Lawton to Schiff's skeptical tweet. "Opt-out-able too I hope."

However, hundreds of malicious apps have made it past the Google Play Store's Bouncer feature, and more pop up every few weeks. What's to stop a criminal or spy from embedded an Android Instant Apps link that points to malicious code? What's to stop that link to point to a server outside of the Google Play Store?

The Android Instant Apps FAQ page Google set up doesn't answer any of these questions, but there's a sign-up link on another page for "early access to the Instant Apps documentations" when it's ready.

Android Instant Apps will be accessible by devices running versions of Android dating all the way back to 4.1 Jelly Bean — the kind of device that probably will never be patched by handset makers or vendors. (Sorry, iPhone users, you're not getting this yet.)

The feature will be rolled out in the fall of 2016. We can't wait.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.