Hi everyone,
I'm facing a persistent and annoying issue with my B4A apps. Every time I install an APK on an Android device, Play Protect shows the "Unsafe app blocked / Install anyway" warning.
What's driving me crazy is that this doesn't happen when I build apps using Kotlin or Flutter on the same devices, only with B4A.
My environment and what I’ve already checked:
Compilation Mode: I use Release Obfuscated.
Signing: I use my own Private Sign Key (not the debug key).
Connectivity: I usually install these apps on devices without an internet connection, so the check is purely local/heuristic.
Location: I am based in Cuba, so using the "Google Play Protect Appeal" form or the Play Console is not a viable option for me due to regional restrictions.
The core of the problem:
Since Kotlin/Flutter apps sign and install without this warning on the same offline devices, there must be something in the way B4A packages the DEX, handles the obfuscation, or structures the Manifest that triggers the local Play Protect heuristic.
My questions:
Is there a specific ProGuard or Obfuscation setting in B4A that is known to trigger "malware-like" patterns in local scans?
Does B4A include any default permissions or services (like the Starter service) that might look "suspicious" to a local scanner compared to a standard Gradle build in Kotlin?
Is there any way to make the B4A APK structure more "standard" to match how Flutter/Kotlin apps are seen by the Android installer?
I would appreciate any insights, especially from those who have to distribute apps offline or via sideloading.
Thanks in advance!
I'm facing a persistent and annoying issue with my B4A apps. Every time I install an APK on an Android device, Play Protect shows the "Unsafe app blocked / Install anyway" warning.
What's driving me crazy is that this doesn't happen when I build apps using Kotlin or Flutter on the same devices, only with B4A.
My environment and what I’ve already checked:
Compilation Mode: I use Release Obfuscated.
Signing: I use my own Private Sign Key (not the debug key).
Connectivity: I usually install these apps on devices without an internet connection, so the check is purely local/heuristic.
Location: I am based in Cuba, so using the "Google Play Protect Appeal" form or the Play Console is not a viable option for me due to regional restrictions.
The core of the problem:
Since Kotlin/Flutter apps sign and install without this warning on the same offline devices, there must be something in the way B4A packages the DEX, handles the obfuscation, or structures the Manifest that triggers the local Play Protect heuristic.
My questions:
Is there a specific ProGuard or Obfuscation setting in B4A that is known to trigger "malware-like" patterns in local scans?
Does B4A include any default permissions or services (like the Starter service) that might look "suspicious" to a local scanner compared to a standard Gradle build in Kotlin?
Is there any way to make the B4A APK structure more "standard" to match how Flutter/Kotlin apps are seen by the Android installer?
I would appreciate any insights, especially from those who have to distribute apps offline or via sideloading.
Thanks in advance!