Android's package manager verifies app signatures and uses versionCode to provide downgrade protection. The signing key for each installed app is pinned and can only be changed via an authorized rotation.
source.android.com/security/apksi
This enables having a decentralized trust model.
Conversation
Historically, Google's Play Store used a decentralized trust model of shipping apps signed by the developers.
In an OS with Google apps and services integrated, the Play Store is granted the ability to do background app installs / uninstalls but cannot bypass the signing checks.
Replying to
Google has been moving away from this to an approach matching Apple. Developer keys will only be used to verify uploads of bundles used to generate packages signed by the app store.
Amazon and the official F-Droid repository also centralize trust, just without the optimizations.
6
1
12
Due to the package manager pinning keys, developers of existing apps need to upload their keys to transfer trust to the Play Store.
These keys are usually the same ones used to sign releases outside the Play Store too. For a new app, this particular issue doesn't exist though.
1
9
After August 2021, app bundles will be enforced for new apps. GrapheneOS won't be releasing standalone apps via the Play Store anymore.
It would be possible to keep updating apps we already published through it until it becomes mandatory for those but we'll likely stop earlier.
2
7
It's likely that we'll stop bothering with supporting more than GrapheneOS in our standalone apps going forward. There's not much appeal in doing it if we can't distribute them through the main distribution mechanism used elsewhere. They might as well just be part of GrapheneOS.
9