Google also now managing app sigining keys, like F-Droid

Lol, so after all those raging debates and flames, it turns out that F-Droid was a pioneer and innovator, years ahead of Google. “With Google Play App Signing, you can securely manage your app signing keys for new or existing apps. Keys are stored on the same secure infrastructure Google uses to store its own keys.”

Anyone hear anything about Google’s motivations for doing this?

3 Likes

From the article on Android Police (on mobile so no link), this is just to make things easier for developers. And also make it less likely that developers accidently lose their signing key.

2 Likes

That’s one consideration. But I’m guessing that’s just their public reason. I’ll bet they did it for very different reasons. It basically is a reversal of the driving idea behind APK signatures since the beginning of Android: decentralized cryptography and Google Play never modifying the binaries.

2 Likes

Probably for pragmatic, data-based reasons. Originally, being minimally centralised was better, but in fact developers and users are in general better served by having to do less, and the legal viewpoint is still that the key belongs to the developer, not Google, so they don’t have to “sign off” on that any Play store app is not complete crap or that it won’t kill kittens.

1 Like

Old thread, but topic is very relevant.

Amazon has always been re-signing apps you submit with their own key (just like Apple). They inject their code into apps: Understanding Amazon Appstore Submission | App Submission

Google hardly needs any dirty tricks as they control the whole platform. But keys give them power, who knows how they’ll use it.

1 Like

And how they resign an application without the source?
They decompile it?

1 Like

And how they resign an application without the source?
They decompile it?

App is just a ZIP file where code, resources and signature are files with fixed names. “Re-signing” simply replaces signature files in the ZIP.

1 Like

thanks for bringing up Amazon, @relan. It is a scary example of what’s
to come.

2 Likes

Oops: https://nitter.net/ByteHamster/status/1272244176290275330#m

2 Likes

Yup, more info here:

2 Likes
5 Likes

“new apps” for now?

Just like local branded but good quality product packets are repacked with big brands packets :smiling_face:

1 Like

Full circle as expected

2 Likes

“This means that developers switching from APK to App Bundles can no longer provide the exact same package or experience on other app sources unless they opt to maintain a separate APK version. This naturally puts third-party app stores at a disadvantage, but Google will most likely play up the Play Store’s security…”

Time to take our eggs out of 666gle’s basket?

This sucks thanks a lot Google if its not broke don’t fix it. :rage:

Come on Hans, this is obviously to inject apps with binary code after compiling. Do you remember the viruses in the 80’s? the cascade virus for example … something like that…

this is obviously to inject apps with binary code after compiling

What for? Google already has an official backdoor called Google Play Services and can do whatever they want with a device.

1 Like