I work for a publisher of Android games; we started publishing games in 2010, and we now have more than 100 games currently available on Google Play Store, with more games launching every few weeks.
It recently came to my attention that Avast Mobile is incorrectly reporting that our games contain malware, even when the user downloads our games directly from the Google Play Store. I reproduced this issue on my own Android device.
Using the Avast app for Android, I clicked the “report false positive” button, but my understanding is that this won’t fix anything right away, and that it certainly won’t fix anything for future games we intend to launch.
My understanding is that my best bet is to register for whitelisting. I’ve read the documentation here:
https://support.avast.com/en-eu/article/Threat-Lab-file-whitelist
https://www.avast.com/en-eu/whitelist-program-registration
https://support.avast.com/en-eu/article/FTP-file-upload/
https://support.avast.com/en-eu/article/Threat-Lab-clean-guideline/
I have several questions about this process.
- The first link about “file whitelisting” indicates that “Vendors who sign their applications with digital signatures can apply for whitelisting via their digital signature.” It’s not at all clear what this means in the context of Android apps.
On the Google Play Store, we don’t generate our own APK files any more; we generate AAB files and send those to Google, who then signs the APKs on our behalf before distributing them to users. Google has started requiring AAB files since August 2021. https://android-developers.googleblog.com/2021/06/the-future-of-android-app-bundles-is.html
Are we “a vendor who signs our applications with digital signatures” by that definition? If so, where is the signature itself?
If not, how would I add a digital signature to our Android app? (Would we add a digital signature to our AAB? or as a separate build step? How?)
- In order to sign up for “whitelist program registration,” (the second link) I’m required to upload a file. But what file should I upload? Should I upload an APK? Should I upload a “digital signature” file? (What file would that be?) There’s no point in uploading an AAB file, right?
The “File whitelisting” documentation (the first link) indicates that I’m registering to join the whitelist program in order to request permission to upload files via FTP. Am I required to upload a file in order to request permission to upload a file…?
- How does the whitelisting process work? Our goal is to ensure that our new games (and new versions of existing games) are whitelisted BEFORE users download them, so that none of our users receive a false-positive notification from Avast.
Will we be authenticated as a company, allowing all of our games (and updates) to be whitelisted at once? Do I have to FTP every game we ever make to Avast? (Before we ship?) Do I have to FTP every updated version of every app to Avast? (Before we ship??) Will Avast prevent us from fixing critical bugs in our games same-day?