Google System Services APK Transparency Log

The Google System Services APK Transparency Log leverages transparency log technology.

The utilities of transparency logs have been proven by projects such as Pixel Binary Transparency and also Certificate Transparency.

Transparency logs are implemented with Merkle trees. This page assumes general knowledge of Merkle trees and binary transparency. See Verifiable Data Structures for an overview of Merkle trees and the main page for an overview of binary transparency effort within Android.

Log Implementation

The Google System Services APK Transparency Log is implemented as a tile-based Merkle tree. The root of the tile contents are served at https://developers.google.com/android/binary_transparency/google1p/tile/. Note that this is not a regular web page: the log entries contained in its subdirectories should be read programmatically with the Golang SumDB Tlog library and not through a browser. We state the link here for clarity.

Refer to Log Content for a description of what each entry contains.

The Merkle tree root hash of a log, contained in a checkpoint, is served at https://developers.google.com/android/binary_transparency/google1p/checkpoint.txt in the checkpoint format. The leaves of this Merkle tree are served at https://developers.google.com/android/binary_transparency/google1p/package_info.txt. The signature of the checkpoint can be verified with the public key described in the following certificate.

-----BEGIN CERTIFICATE-----
MIICPzCCAeWgAwIBAgIUAV4UWNut89Vj0EIwMTUlOYclCMMwCgYIKoZIzj0EAwIw
dDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
dW50YWluIFZpZXcxFDASBgNVBAoMC0dvb2dsZSBJbmMuMRAwDgYDVQQLDAdBbmRy
b2lkMRAwDgYDVQQDDAdBbmRyb2lkMCAXDTI0MDkyNTIzNTYwOVoYDzIwNTQwOTE4
MjM1NjA5WjB0MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG
A1UEBwwNTW91bnRhaW4gVmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNV
BAsMB0FuZHJvaWQxEDAOBgNVBAMMB0FuZHJvaWQwWTATBgcqhkjOPQIBBggqhkjO
PQMBBwNCAASofcYuVig/lsWwIfwMfLk22mMltFDDd8k1IBNKajw6VdQynSh7XapH
Ace10/uT1ceUmwJinyOPR1Bpj431+18vo1MwUTAdBgNVHQ4EFgQUwHSDZ/iAB8Go
Rt1oDkVktxyizhYwHwYDVR0jBBgwFoAUwHSDZ/iAB8GoRt1oDkVktxyizhYwDwYD
VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEAleFB+Arfv1KW0r6TbSEX
EfvBnJMPqRNAIVPd8LrVhw0CIAX56Txqs8H5XWdMoNF21w8Z0PmUNvLLtZtM+25O
wjq8
-----END CERTIFICATE-----

The same public key can also be found in Android Security's PGP public key block at https://services.google.com/corporate/publickey.txt, identified by CFAB31BE8DD7AC42FC721980ECA5C68599F17322 if you prefer PGP.

The verification page describes in more detail how the various components of the log are used to verify the claims made in the Claimant Model.