Samsung and Bank of America didn’t immediately respond to requests for comment for this story. Google and Epic both declined to comment.
Cross-store updates trace back to Android’s roots in the fairly open Linux platform, and they come with benefits. As app updates go through security reviews and other store-specific checks, a download might arrive at varying times across app stores. By allowing any of the app stores installed on their phone to update an app, users can ensure their apps are up to date as soon as possible to resolve bugs or security vulnerabilities, says Bogdan Botezatu, director of threat research and reporting at cybersecurity company Bitdefender. “Users should not be worried about getting the update,” he says.
In an encouraging sign, an analysis of three popular apps at WIRED’s request by Esther Onfroy, cofounder of security research company Defensive Lab Agency, found no difference between copies of the same app downloaded from Google Play and the Galaxy Store.
There are risks to cross-store updates, though those risks are remote, Onfroy says. An app store with weak security could be exploited to ship a malicious update, and having more stores on a device raises the prospect of just one of them being corrupted. An app store also could wrap an update with code that enables some form of intrusive data collection.
Users are more likely to encounter nuisances like updates from other app stores that don’t function properly. Edward Cunningham, a director of product management at Google, told Donato in court papers that in 2022, smartphone maker Oppo’s app store released an unauthorized and outdated update of Google’s Chrome browser. Some users who installed the update couldn’t load web pages on Chrome.
On Reddit, users have complained about Google Play updating apps downloaded from the Amazon Appstore, stifling their ability to access subscription features or pay with virtual currencies unique to apps from Amazon’s marketplace. In a June court filing, Google’s attorneys acknowledged that users can lose in-app purchases and subscriptions. App stores support varying billing systems, and the billing system used in the current update of the app may be the only one that works. So if a game downloaded from Epic’s store is updated by Google Play, it may be Google and no longer Epic that gets a commission on in-app purchases, and items acquired in the past may not function as intended.
Cross-store updates also can trigger more frequent app crashes, in part because they can disrupt the staggered launches that app developers sometimes use to catch bugs before they spread—the sort of measure that helps avert disasters such as the recent CrowdStrike meltdown.
Adding to the confusion over clobbering, app developers can limit updates from multiple app stores by publishing to each store under different credentials or version numbers. But then if users do want to switch to updates from a different app store, they may have to reinstall the app by downloading a new version from their preferred store, and they might lose some data in the process. Users who want to preserve the current version of an app because they prefer it also may be disappointed if they turn off updates from one store while not realizing that they need to also turn off updates from another store.