Ask HN: Android developers, are you OK giving your signing keys to Google?

41 points by Andrew_nenakhov ↗ HN
According to [1], Google is transitioning from APK format to AAB (Android App Bundle) which features Play App Signing [2], which, essentially, requires you to give Google your App's existing signing keys, with all the usual implications.

Google uses comforting language to portray this as a very convenient feature for 'most' developers. However, this would also give Google an ability to ship modified apps to users, still signed by perfectly valid App key, and this perspective looks really scary to me.

> To use Play App Signing today you have to provide a copy of your existing app signing key because Google Play needs a copy of it to sign and deliver updates to your existing users. This suits most developers, over 1M apps are using Play App Signing in production.

They also promise to have a way of signing up without uploading a key 'soon', but it is not clear how it will work from the description:

> Soon, we will add an additional option for existing apps to opt in to Play App Signing by performing a key upgrade. Choosing this option means Play App Signing can use a new, unique key for all new installs and their updates. However, for this to work, when you upload an app bundle, you also need to upload a legacy APK signed with your old key so that Google Play can continue to deliver updates to your existing users.

What's your perspective on this?

[1]: https://android-developers.googleblog.com/2021/06/the-future-of-android-app-bundles-is.html

[2]: https://developer.android.com/studio/publish/app-signing

28 comments

[ 2.8 ms ] story [ 71.0 ms ] thread
I'm seeing this as Google enforcing control towards the platform. Lot of developers were unhappy with this, but when have a big corp listened to developers.
When they stop giving revenue.
The revenue is generated on ads via spying on users. So they do not care about Android devs.
> Google uses comforting language to portray this as a very convenient feature for 'most' developers. However, this would also give Google an ability to ship modified apps to users, still signed by perfectly valid App key, and this perspective looks really scary to me.

Interestingly, this also allows hostile takeovers of applications by state supported attackers, as you are no longer able to trust if the APK is signed by the original developer or not.

An honest question; Due to the way developer keys are derivative from a root certificate in Apple's ecosystem, hasn't this been a possibility there as well since the beginning of the appstore?

I agree that this possibility exists, and personally wished it wasn't.

I am not familiar with Apple's app signing procedures, but from what you have said, it sounds like you create your own certificate and Apple cross signs your code bundle. In that case, Apple can not start publishing their own version but they can only remove their "blessing" by not signing your code anymore.

Please correct me if I am wrong with this assumption.

You can change your developer certificate at any time though by getting a new one from Apple; so even if your signature is still in the resulting distribution somewhere (which I don't think it could be, but I mostly deal in creating forged signatures instead of parsing existing ones), it wouldn't have the end-to-end security properties Android has (well, "had" :/).
That is very disappointing. Having a verified publisher signature is a good security measure, but Apple seem to not believe that.
If you give them your keys, then what's the point of having keys in the first place?
^ this.

I’m not familiar with Android signature approach. But it seems a pointless change to me. Just distribute additional CAs and re-sign my application.

This is like asking users to provide their cleartext passwords.

Android's PackageManager system doesn't use CAs. It's a trust-on-first-install system where any updates must be signed with the same cert as the original install. I don't know if it's still the case, but when I last looked at the code (around AOSP 6, I think), it did a byte-by-byte comparison of the certificate. If a update to an app was signed by even a renewed cert (with the same private key), Android would not allow it to be installed.
Then change how PackageManager works.
You have to sign it first, so the keys are still useful.
The device itself still works with code signatures verified over time that derive from the same certificate, so giving Google your signing keys now lets Google forge updates of your app, but still prevents say, me, from doing so.
If I could choose, I would rather that this wasn't a requirement but rather an option. As it stands there is little that can be done about it (unless I open source my code and start publishing on F-droid).
Even that wouldn't help if you need some kind of background functionality that would require waking up the app from time to time, because push notifications won't work.
Yes your correct, there are plenty of headaches that come with publishing outside of the Play store. The least of them is open sourcing when going for one of the bigger alt stores F-droid.
You can publish your own F-Droid repository and your app can use GCM, no?
No. Btw they are called FCM now.
Can you elaborate on what exactly is stopping someone from hosting their own repository for F-Droid and publishing an app that uses FCM/GCM?
Control of signing apps has been taken from the programmer and is being seized by Google. As an Android programmer, I see this as being a negative.
What stops google now from being able to modify the apps? You honestly think because you signed it, they can't bundle it with whatever they want to?
Microsoft just announced being able to run Android apps on Win 11. Related in some way?

Will Win11 use the Play Store listings or something else?

They'll use Amazon listed apps, so still APKs.
I didn't even realize they had a separate store. I guess I have to look into uploading there too.

APKs aren't their issue here, right? It's the idea that Google wants your keys to list on the Play Store. In theory you could not list on the Play Store and just list on Amazon, avoiding the requirement to hand over the keys.