PSA: Starting in August this year, for newly published Android apps, Google will require that *they* sign apps, not you. This means that the Android security model is fundamentally broken, because the app is signed by the distributor and not by the developer. (1/3)
Conversation
This Tweet was deleted by the Tweet author. Learn more
You don't have to distribute apps via the Google Play Store. On devices with Play services and the Play Store, the Play Store is granted the ability to do background installs and uninstalls anyway. Play services is set as a backup service so it can back up and restore app data.
I wrote a thread about the Play Store removing support for shipping apps with developer signatures at twitter.com/DanielMicay/st already. It has little impact on GrapheneOS and our own first party app repository will be using our own builds of apps signed with our keys anyway.
Quote Tweet
Android's package manager verifies app signatures and uses versionCode to provide downgrade protection. The signing key for each installed app is pinned and can only be changed via an authorized rotation.
source.android.com/security/apksi
This enables having a decentralized trust model.
Show this thread
1
3
This Tweet was deleted by the Tweet author. Learn more
I don't see how making that into an APEX module is a problem. It doesn't impact us either. Baseline Android doesn't include Play services or the Play Store. Including them involves giving them a bunch of privileges which includes ability to silently replace an app with another.
1
1
1
Show replies