How do I register for whitelisting?

I work for a publisher of Android games; we started publishing games in 2010, and we now have more than 100 games currently available on Google Play Store, with more games launching every few weeks.

It recently came to my attention that Avast Mobile is incorrectly reporting that our games contain malware, even when the user downloads our games directly from the Google Play Store. I reproduced this issue on my own Android device.

Using the Avast app for Android, I clicked the “report false positive” button, but my understanding is that this won’t fix anything right away, and that it certainly won’t fix anything for future games we intend to launch.

My understanding is that my best bet is to register for whitelisting. I’ve read the documentation here:

https://support.avast.com/en-eu/article/Threat-Lab-file-whitelist
https://www.avast.com/en-eu/whitelist-program-registration
https://support.avast.com/en-eu/article/FTP-file-upload/
https://support.avast.com/en-eu/article/Threat-Lab-clean-guideline/

I have several questions about this process.

  1. The first link about “file whitelisting” indicates that “Vendors who sign their applications with digital signatures can apply for whitelisting via their digital signature.” It’s not at all clear what this means in the context of Android apps.

On the Google Play Store, we don’t generate our own APK files any more; we generate AAB files and send those to Google, who then signs the APKs on our behalf before distributing them to users. Google has started requiring AAB files since August 2021. https://android-developers.googleblog.com/2021/06/the-future-of-android-app-bundles-is.html

Are we “a vendor who signs our applications with digital signatures” by that definition? If so, where is the signature itself?

If not, how would I add a digital signature to our Android app? (Would we add a digital signature to our AAB? or as a separate build step? How?)

  1. In order to sign up for “whitelist program registration,” (the second link) I’m required to upload a file. But what file should I upload? Should I upload an APK? Should I upload a “digital signature” file? (What file would that be?) There’s no point in uploading an AAB file, right?

The “File whitelisting” documentation (the first link) indicates that I’m registering to join the whitelist program in order to request permission to upload files via FTP. Am I required to upload a file in order to request permission to upload a file…?

  1. How does the whitelisting process work? Our goal is to ensure that our new games (and new versions of existing games) are whitelisted BEFORE users download them, so that none of our users receive a false-positive notification from Avast.

Will we be authenticated as a company, allowing all of our games (and updates) to be whitelisted at once? Do I have to FTP every game we ever make to Avast? (Before we ship?) Do I have to FTP every updated version of every app to Avast? (Before we ship??) Will Avast prevent us from fixing critical bugs in our games same-day?

Hi,

You would need to provide us with a file (APK in this case) and a description. We will then either accept this file ( mark it as clean and provide you with your own credentials to our FTP server to upload other files if need be) or refuse the file (reason, e.g. file is not clean, the file is from someone else etc.) The digital signature is not mandatory, and files without a digital signature can be whitelisted. When you have your FTP credentials, you can upload other files using the FTP server. You would have to upload additional files if they were not signed by the same signature as any previous file you submitted.

Thanks. I have FTP access now. Am I right in guessing that I should upload APK files via FTP? (We don’t make our own APK files, but Google Play Console allows us to download our APK via the App bundle explorer.)

And what about my question #3? Do we need to FTP Avast every time we update any of our 100+ games?

Yep.

PS: https://support.avast.com/en-ww/article/Threat-Lab-mobile-application-clean-guideline/