Newsletter 
The Galaxy Wearable app from Samsung could cause the company some trouble following the discovery that it prompts the download of the Samsung Pay APK from a secondary source. That’s based on reports stemming from a recent tweet from XDA Developers contributor Max Winebach.
At contention, the wearables-specific app is prompting a download of the secondary app when installed on non-Samsung phones. Designed specifically for Samsung’s Galaxy-branded smartwatches, the Samsung Wearable app is required to use the devices. But the app is also prompting users to download a secondary application — Samsung Pay — when they run the app.
What is the Google Play policy on app sideloads and what’s the risk?
The Google Play policy in question explicitly says that apps cannot install other apps that aren’t on the play store. That means it can’t prompt users to install a different app from a different source. That’s because that kind of activity potentially puts users at risk. It’s a behavior often used by malicious entities, to begin with. But, depending on how an app is coded and what the app manifest looks like, it potentially puts users at additional risk.
In the latter case, allowing apps to be downloaded from secondary sources enables a bad actor to inject bad downloads into legitimate apps.
That’s not to say that’s what Samsung’s app is doing or that it is poorly coded. But Google has this policy in place for a very good reason.
Now, Samsung’s activity here may or may not actually breach Google Play policies as laid out in the Google Play Developer Distribution Agreement. That’ll be up to Google to decide. The Samsung Pay app is technically available for download on both the Google Play Store and on Samsung’s Galaxy Store.
But the download prompted by the Galaxy Wearable app doesn’t arrive from either source. Instead, it downloads directly from an Amazon Web Services server.
This is a policy enforced across multiple Google products
Setting aside whether Samsung is breaking Google Play policies by allowing its Galaxy Wearable app to download Samsung Pay from an unauthorized source, Google has been cracking down fairly hard on developers who breach its policies. And those policies extend beyond the Google Play Store.
Recently, the company instituted a similar policy change to its Chrome Web Store, for example. And developers that don’t follow that policy meet with a similar fate. In effect, Google now removes and disables extensions and apps from its browser market if it finds that they are downloading secondary apps from other sources.
So Samsung’s transgression here may be enough for Google to consider this a breach of the policies. If that’s the case, the Samsung-built Galaxy Wearable app may ultimately be removed from the Play Store. Or Google may work with Samsung to fix the underlying issue.
So this, section 4.5 of the Google Play Developer Distribution Agreement, basically says app can not install other apps that are not on the Google Play Store. So an app can’t download and prompt you to install a different app. pic.twitter.com/HGeS4IJUMf
— Max Weinbach (@MaxWinebach) June 9, 2020