PSA: Starting in August this year, for newly published Android apps, Google will require that *they* sign apps, not you. This means that the Android security model is fundamentally broken, because the app is signed by the distributor and not by the developer. (1/3)
Conversation
Replying to
That has another interesting security implication: currently, an app's identity is tied to the key, so changing the key of an installed app means it has no access to the data in the previous installation, unless the previous version explicitly allowed that.
Workaround incoming?
2
2
13
Replying to
Maybe. The "key cannot be changed" issue is indeed a problem. If your signing key is exposed, you'll have to decide between a key replacement and access to your current user base.
3
5
Android added support for key rotation in a backwards compatible way in Android 9 so this isn't accurate:
source.android.com/security/apksi
Android < 9 will still work after the key rotation using the legacy signing key. Android 8.0 is end-of-life anyway, and Android 8.1 will be soon.
1
1
2
Major releases of the OS receive approximately 3 years of security updates. Android 8.1 has received longer support than usual but is past that point and will be dropped soon.
Devices need to update the OS version to keep providing security updates for a long period of time.
1
1
1
I don't think it matters that end-of-life versions of the OS without security updates continue using the legacy signing key. Those users have bigger issues and key rotation works where it matters.
You're still screwed if you lose the app signing key since then you can't rotate.
One of the reasons for Google wanting to move away from this system for the Play Store is that many developers aren't up to the task of managing these keys well. They had Google Play App Signing as an option before app bundles. It doesn't change how the OS (Android) itself works.
1
1
1