Ask HN: Android developers, are you OK giving your signing keys to Google?
Google uses comforting language to portray this as a very convenient feature for 'most' developers. However, this would also give Google an ability to ship modified apps to users, still signed by perfectly valid App key, and this perspective looks really scary to me.
> To use Play App Signing today you have to provide a copy of your existing app signing key because Google Play needs a copy of it to sign and deliver updates to your existing users. This suits most developers, over 1M apps are using Play App Signing in production.
They also promise to have a way of signing up without uploading a key 'soon', but it is not clear how it will work from the description:
> Soon, we will add an additional option for existing apps to opt in to Play App Signing by performing a key upgrade. Choosing this option means Play App Signing can use a new, unique key for all new installs and their updates. However, for this to work, when you upload an app bundle, you also need to upload a legacy APK signed with your old key so that Google Play can continue to deliver updates to your existing users.
What's your perspective on this?
[1]: https://android-developers.googleblog.com/2021/06/the-future-of-android-app-bundles-is.html
[2]: https://developer.android.com/studio/publish/app-signing
28 comments
[ 2.8 ms ] story [ 71.0 ms ] threadInterestingly, this also allows hostile takeovers of applications by state supported attackers, as you are no longer able to trust if the APK is signed by the original developer or not.
I agree that this possibility exists, and personally wished it wasn't.
Please correct me if I am wrong with this assumption.
I’m not familiar with Android signature approach. But it seems a pointless change to me. Just distribute additional CAs and re-sign my application.
This is like asking users to provide their cleartext passwords.
Will Win11 use the Play Store listings or something else?
APKs aren't their issue here, right? It's the idea that Google wants your keys to list on the Play Store. In theory you could not list on the Play Store and just list on Amazon, avoiding the requirement to hand over the keys.