Google Play Protect is now using a new “Protected Download” API to verify the integrity of models and heuristics downloaded onto devices, ensuring malware authors haven’t tampered with them.
Protected Download “enables downloading of resources to the device with support for a binary transparency log based verification”, ensuring that the resources are officially from Google.
Protected Download is a new API offered by “Private Compute Services”, the open source app that Android System Intelligence (part of Android’s “Private Compute Core”) uses to retrieve model updates from external servers.
“The mechanism of download is open-sourced to show that through the connection to the server personal user data is not sent to Google, but rather receiving the model or heuristics in an encrypted and verified manner.”
We haven’t seen a public announcement of this yet, but it was released last week.