When the Pixel 5 and 4a 5G were released, Google also updated a few of its first-party apps — the Camera and the Recorder, to be specific. But when people with older Pixel phones tried to sideload these to their phones, some ran into an odd INSTALL_FAILED_VERIFICATION_FAILURE error message even though the cryptographic signature matched and there should've been nothing standing in the way. We quickly found a workaround, but we never really understood why the error was popping up in the first place. Thanks to an investigation by our friends over at XDA, we now have an idea of what causes the problem.

While we initially assumed that the verification failure was a bug, XDA found evidence that it might be an intentional change. The publication examined the logs associated with the verification failure error when installing the Google Camera, which hints at what's going on:

AppIntegrityManagerServiceImpl: Integrity check of com.google.android.GoogleCamera result: DENY due to [Rule: (PACKAGE_NAME EQ com.google.android.GoogleCamera) AND (VERSION_CODE GTE 32045130) AND (APP_CERTIFICATE EQ F0FD6C5B410F25CB25C3B53346C8972FAE30F8EE7411DF910480AD6B2D60DB83) AND NOT (INSTALLER_NAME EQ com.android.vending), DENY]

We can see that the installation failed because the installer app ("INSTALLER_NAME") doesn't match the Play Store ("com.android.vending"), a criterion that was never checked until now. The check was initiated by the "AppIntegrityManagerServiceImpl," a part of Android's new "App Integrity" checker. It's supposed to add another layer of security on top of existing measures (like cryptographic APK signatures) to prevent rogue packages from taking the place of legitimate apps.

The AppIntegrityManagerServiceImpl operates on a set of rules provided by the Play services, which is why you can temporarily evade the new security checks by uninstalling updates to the services — the rules likely aren't part of the pre-installed version of the services and aren't downloaded right away, so there's a timeframe where the AppIntegrityManagerServiceImpl doesn't have any rules to work with, and thus, it'll allow installing from any source. Big parts of the new integrity checker are obfuscated, so there might be more nuances to the topic, but this seems to be the gist of what we're working with.

XDA speculates that these changes are meant to protect people from installing the wrong version of an app on their phones. It's possible to install the wrong DPI variant of an app to your phone, which could mess up the interface, and there's at least one instance where you could lose features when you install the incorrect version of an app, like Live Caption on the Pixel 4.

Google could extend this practice to more of its apps, though right now, it seems that only apps that have switched to the APK bundle format can be blocked by the AppIntegrityManagerServiceImpl, like the Google Camera or the Recorder.

We're still not exactly sure what the implications of the new integrity checker are, but it appears that our proposed workaround still allows most people to reliably sideload Google apps on Android 11, at least for the time being. Since it looks like the verification changes are intentional, it's possible that future updates will make sideloading system apps even harder, and you might not be able to use a workaround at some point.