Google expands Android Binary Transparency with public ledger to verify app authenticity

Google has expanded its Binary Transparency program for Android, introducing a public, append-only ledger that records cryptographic entries for production Android applications — giving users and security researchers an independent way to confirm that the software running on their devices matches what Google actually authorized for public release.

The Details

The program applies to Google's production Android applications released on or after May 1, 2026. Each app receives a corresponding cryptographic entry on the public ledger. Applications last updated before that date will not appear in the log, regardless of whether they remain in active use on devices.

Two software layers fall under the program at launch. The first covers Google Applications, which includes Google Play Services — the core services layer that underpins much of the Android ecosystem — as well as standalone Google apps such as Search, Maps, and Gmail. The second layer covers Mainline Modules, the dynamically updateable operating system components that run at elevated privileges as part of Android itself. Mainline Modules allow Google to update select parts of the Android operating system without requiring a full system update from device manufacturers.

The central problem the program addresses is a gap in existing software verification. Digital signatures verify who built a binary but cannot confirm the binary was meant for public release. Stolen signing keys, insider attacks, and internal development builds can all carry valid signatures that pass standard verification checks. As the Google Security Team wrote in the company's official announcement: "It is becoming insufficient to rely on the binary's signature alone, as a signature cannot guarantee that this particular binary was the intended one to be released to the public by its author. Digital signatures are a certificate of origin, but binary transparency is a certificate of intent."

Under the new system, if a Google-signed application released after May 1, 2026, does not appear on the ledger, Google did not release it as production software. Any attempt to deploy a one-off or unauthorized version becomes detectable through the public record, because the corresponding entry would either be absent or would not match the binary installed on the device.

Billy Lau, Information Security Engineer at Google, confirmed that the company mitigates insider risk through defense-in-depth protocols that isolate code development from the automated building and signing process. "These safeguards ensure that no single individual has the access required to publish a binary without triggering comprehensive cryptographic verification and ensures that bad actors are unable to evade detection because of visibility," Lau said in comments reported by Help Net Security.

For Pixel device owners, the new ledger works alongside an existing transparency mechanism. Google introduced Pixel System Image Transparency in 2023, which allows Pixel users to verify that the system image installed on their device is production software. Together, the two systems give Pixel users the ability to verify that both the system image and Google applications are authorized production releases.

Verification tooling is available in the Android Binary Transparency repository on GitHub, enabling anyone — independent researchers, security teams, or individual users — to check the transparency state of supported software types against the public log. The tooling is open-source, allowing the security community to audit the verification process itself.

Context

Supply chain attacks on mobile software have grown in recent years as phones have taken on an increasingly central role in daily life, handling payments, government identification documents, and artificial intelligence features. Google's transparency work predates the new ledger: the company introduced Pixel System Image Transparency in 2023, and it participates in the broader transparency.dev initiative, a wider effort to bring verifiable software transparency across platforms. The distinction between a valid digital signature and a verified public release has been a recognized gap in the software supply chain security model, one that transparency logs are designed to close by creating an independently auditable record of what was intended for production distribution.

What's Next

Billy Lau said Google is actively working to extend Binary Transparency to third-party developers, which would expand the program beyond Google's own applications and operating system components to cover apps distributed through the broader Android ecosystem. No timeline for that expansion has been disclosed. The program's May 1, 2026 effective date means that apps updated before then will gradually age out of support coverage, and the scope of logged software may increase as Google adds additional layers or as third-party adoption begins.