Conversation

May 14, 2021

PSA: Starting in August this year, for newly published Android apps, Google will require that *they* sign apps, not you. This means that the Android security model is fundamentally broken, because the app is signed by the distributor and not by the developer. (1/3)

269

419

Danilo

@dbrgn

May 14, 2021

This means that Google can (or can be forced to) distribute backdoored versions of popular apps to targeted people. The app you are downloading may be different from the app your neighbour is downloading. And the app signature will be perfectly valid for both of them. (2/3)

201

Daniel Micay

@DanielMicay

Replying to

@dbrgn

They can already be forced to do this for the initial app install and as part of building Play services and the Play Store into the OS they're granted the ability to install / remove apps in the background and to backup/restore app data. They can transparently replace an app.

4:05 AM · May 17, 2021Twitter Web App