Android developers, are you OK giving your signing keys to Google?

Question

According to [1], Google is transitioning from APK format to AAB (Android App Bundle) which features Play App Signing [2], which, essentially, requires you to give Google your App's existing signing keys, with all the usual implications.Google uses comforting language to portray this as a very convenient feature for 'most' developers. However, this would also give Google an ability to ship modified apps to users, still signed by perfectly valid App key, and this perspective looks really scary to me.> To use Play App Signing today you have to provide a copy of your existing app signing key because Google Play needs a copy of it to sign and deliver updates to your existing users. This suits most developers, over 1M apps are using Play App Signing in production.They also promise to have a way of signing up without uploading a key 'soon', but it is not clear how it will work from the description:> Soon, we will add an additional option for existing apps to opt in to Play App Signing by performing a key upgrade. Choosing this option means Play App Signing can use a new, unique key for all new installs and their updates. However, for this to work, when you upload an app bundle, you also need to upload a legacy APK signed with your old key so that Google Play can continue to deliver updates to your existing users.What's your perspective on this?[1]: https://android-developers.googleblog.com/2021/06/the-future-of-android-app-bundles-is.html[2]: https://developer.android.com/studio/publish/app-signing

csunbird · Accepted Answer

> Google uses comforting language to portray this as a very convenient feature for 'most' developers. However, this would also give Google an ability to ship modified apps to users, still signed by perfectly valid App key, and this perspective looks really scary to me.Interestingly, this also allows hostile takeovers of applications by state supported attackers, as you are no longer able to trust if the APK is signed by the original developer or not.

bouncycastle · Answer

If you give them your keys, then what's the point of having keys in the first place?

Mc91 · Answer

Control of signing apps has been taken from the programmer and is being seized by Google. As an Android programmer, I see this as being a negative.

gowthamgts12 · Answer

I'm seeing this as Google enforcing control towards the platform. Lot of developers were unhappy with this, but when have a big corp listened to developers.

MrDresden · Answer

If I could choose, I would rather that this wasn't a requirement but rather an option. As it stands there is little that can be done about it (unless I open source my code and start publishing on F-droid).

darkcha0s · Answer

What stops google now from being able to modify the apps? You honestly think because you signed it, they can't bundle it with whatever they want to?

giantg2 · Answer

Microsoft just announced being able to run Android apps on Win 11. Related in some way?Will Win11 use the Play Store listings or something else?

jsnell · Answer

Frontpage discussion today: https://news.ycombinator.com/item?id=27695486