Evolving Verifiable Trust: Bringing Binary Transparency to the Android Ecosystem

Building on our previous binary transparency work (Pixel System Image Transparency), Google is continuing to lead the industry by evolving our commitment to verifiable production software. As Android devices become increasingly personal, managing everything from sensitive Government IDs to secure payments to powering AI features, the responsibility to ensure the integrity of the software ecosystem has never been more profound.

Historically, trust in software has been "implicit," based on the simple assumption that an application is genuine because of its signature. However, as software complexity increases, so does the surface area for binary supply chain attacks. It is becoming insufficient to rely on the binary’s signature alone, as a signature cannot guarantee that this particular binary was the intended one to be released to the public by its author. Digital signatures are a certificate of origin, but binary transparency is a certificate of intent. Examples of binaries that are not meant to be released include stolen signing keys, insider attacks, and internal development builds. Google is helping address this real-world risk by expanding Binary Transparency on Android. By utilizing public, append-only ledgers, we are moving beyond assumptions to provide confidence that the Google software on your device is exactly what we intended to build and distribute.

Moving Beyond Implicit Trust

Google’s production Android applications released after May 1, 2026, will have a corresponding cryptographic entry confirming its authenticity ¹ . This provides a transparent "Source of Truth" that allows anyone to verify that the Google software on their Android device is a production version authorized by Google and has not been modified by an attacker.

This transparency initiative currently covers these critical software layers:

• Google Applications: A collection of production Google applications, including both Google Play Services and standalone Google applications that support functionality across devices, ensuring your device provides a great user experience right out of the box.
• Mainline Modules: Dynamically updateable operating system (OS) modules, running at elevated privileges, as they are a part of the OS.

Technical details about these initiatives (including guide to verification) are provided at this developer site.

Transparency: The Foundation of Privacy and Accountability

Trust grows through accountability, and transparency is the engine that enables it. Our production ledger creates a new standard for transparency within the Android ecosystem:

If a Google-signed application, released after May 1, 2026, is not on this ledger, we did not intend to release it.

We have designed this system so that no party, including Google, can modify the software we authorize for release to your device without creating a public record. If the software is not on the ledger, Google did not release it as production software. Any attempt to deploy a "one-off" version will be detectable. By requiring every official update to be on the ledger, we increase the assurance that the Google software running on your device is exactly the software we intended to build and distribute.

This is a critical pillar for user privacy and security because it changes the fundamental power dynamic of software updates. This level of transparency serves as another layer of protection on our software’s integrity, acting as a powerful deterrent against unauthorized binary releases.

Production Google Software is now Transparent on Android

Our new logs extend the promise of Google production software transparency to our external-facing Android applications across the ecosystem.

For Pixel users, when combined with our existing Pixel System Image Transparency, this enables users to verify that their system image and the Google applications running on their device are all production software. We believe transparency should be the goal for the industry, and by making our own applications transparent first, we are providing a roadmap that others in the community can adopt.

Users and researchers can now make use of the metadata published in the transparency log to detect unauthorized OS modification attempts, even if these files have the correct digital signature. To help facilitate this process, we have published verification tooling in our Android Binary Transparency repository, allowing anyone to verify the transparency state of supported software types. Knowing that the entirety of the OS is operating from a known good state should increase trust in the overall system.

The Evolution of Verifiable Trust

By evolving our previous binary transparency coverage from production Pixel images to Google software across the entire Android ecosystem, we are raising the bar. We enable everyone to Trust and Verify our Google Software using our tools today, ensuring transparency remains a fundamental part of the Android experience.