Are Instant Apps Secure? What to Know Before Trying One

instant appsInstant apps are specially designed for mobile phones. They are lightweight native web applications that work within a limited scope without requiring installation on your device. They can be used seamlessly within their domain of functionality without leaving the app you’re currently using.

For example, if you want to buy an item from an e-commerce website but don’t want to install its native application on your phone, you could instead use the website’s instant app version which will load much faster than its full-fledged counterpart because it doesn’t have all the features included in a typical app store download. Knowing how to disable instant apps is simple. You just need to go to your device settings and toggle the instant apps switch. Any simple issues can easily be resolved by contacting iOS or Android instant app support to help you resolve them.

However, one might ask what security measures are put in place to ensure the safety of instant apps. The short answer is that instant app security is similar to non-instant apps in some ways but different in others.


Security of Instant Apps

One of the main differences between an instant app and its corresponding native app is how it’s delivered. While full-fledged apps are typically downloaded from their respective stores (Google Play or Apple Store), instant apps can be accessed over the Internet via URLs instead of through specific storefronts.

Another difference concerns licensing, since most paid applications require payment before they become available on your device. Instant apps generally don’t need any additional permission, besides access to network communications, which enables them to download data when needed (e.g., from a server) instead of keeping it inside the app itself. This is unlike native apps that can be installed just by following an installation link or scanning a QR code.

Since instant apps don’t need to be downloaded from Google Play, they are often mostly secure because you are required to have permission before being able to install them on your device. For example, if I receive a link which starts with “” and click on it, Android will ask me for permission to access my location data first since this is needed in order to track where you’re currently located so that the app knows what movies are available near you. If you were to tap on “Allow”, your location data will be used to retrieve a list of trailers from the movies that are currently playing in theaters.

That said, there is a difference between instant apps and native apps when it comes to encryption key storage. Usually, Android requires third-party apps to store keys for encrypting or decrypting sensitive information on a device’s local storage which makes them available only to the app itself (i.e., app scope). This means that if an attacker were able to get their hands on your phone, they would not be able to access any of the information stored in these encrypted files unless they also had your credentials (e.g., passwords) or cracked the decryption algorithm (which would probably take quite some time given the increase in processing power that comes with every new generation of smartphones).

This isn’t the case for instant apps. Since they can be accessed via an URL and don’t download any file from their servers by default, Android uses a different storage mechanism to store these keys: the browser’s cache. This means that if you use Chrome to visit a website with an instant app version, you will actually see two URLs in your address bar, one which points to the official site, and the other pointing to the actual JavaScript bundle containing your encrypted personal data.

This means that if you were to share your device with someone or let them use it for a minute, they could potentially access all of this information by checking the files inside Chrome’s cache folder which are publicly accessible. Of course, they wouldn’t be able to decrypt anything without your credentials (unless they were somehow able to determine the encryption key), but still, this poses a significant privacy concern.

Fortunately, Google has recognized these potential issues and is working on solutions for both of them. For instance, starting with Android O, Google Play Services will encrypt all of your data using a key that will be derived from the lock screen password or PIN code. This means that if someone gains access to your device, they won’t be able to read anything stored in these cached files without knowing your credentials first.

Secondly, Google announced that all future instant apps will use app scope for storage which means that all encryption keys will be properly stored inside the app itself instead of Chrome’s cache. This is definitely a step in the right direction, and it should make instant apps as secure as native ones which use their own custom key store to keep data private.

All in all, instant apps provide convenience and functionality that you don’t get with regular apps, but they come at the cost of security which is why you need to be aware of these potential issues.


Tips to Recognize Insecure Instant Apps

You can recognize insecure instant apps by checking the URL of the link you received. For example, if it starts with “”, then it’s safe to assume that this is an insecure instant app (please bear in mind that your mileage may vary depending on which version of Android you’re running and whether or not Google Play Services has been updated).

However, even secure instant apps have a few things to look out for since they can be used as shortcuts for phishing attacks. First, always check the origin of the link you receive before opening any links from people you don’t know or trust. This can easily be done by checking their URLs against popular social media websites like Twitter, Facebook, etc… If they are indeed linked to one of these services, then you can proceed with opening them.

Secondly, check the permissions that the app is requesting before installing it. This includes anything that it might be trying to access on your device or even via your internet connection. If something seems fishy to you, don’t install it and contact the developer instead. This will usually solve any issues since they are aware of how insecure their instant apps are (although this isn’t always true).

Finally, if someone tries to send you an instant app link over SMS or email which looks suspicious for one reason or another, then simply ignore it. There’s no point in hanging around waiting for trouble after all.


Luckily for Android developers, Instant Apps are still relatively new and no “killer” instant app has been released in the wild (although there are rumors that Facebook will start using Instant Apps soon enough). This means that it’s still safe to use them in your app, at least until someone releases an instant version of Facebook or YouTube in order to gain an advantage over their competition.

You should still be aware of the security concerns mentioned above since they might cause problems when used by third party apps or even when users make mistakes themselves (like giving away sensitive information without knowing). Fortunately for us, Google is making changes fast and hopefully everything should work out in a few months from now which means that we can safely use these new tools without losing our sleepover security issues.

Sunvera Software develops next-level software applications from start-to-finish. We are a premier software and mobile app development agency specializing in healthcare mobile app development, custom mobile app development, telehealth software, sales dashboards, custom mobile app development services, retail software development, supply-chain software, ecommerce, shopify, web design, iBeacon apps, security solutions and unified access software.

We are proud partners with Amazon AWS, Microsoft Azure and Google Cloud.

Schedule a free 30-minute call with us to discuss your business, or you can give us a call at (949) 284-6300.