Conversation

Danilo πŸ‡ΊπŸ‡¦
@dbrgn
PSA: Starting in August this year, for newly published Android apps, Google will require that *they* sign apps, not you. This means that the Android security model is fundamentally broken, because the app is signed by the distributor and not by the developer. (1/3)
10
419
Danilo πŸ‡ΊπŸ‡¦
@dbrgn
This means that Google can (or can be forced to) distribute backdoored versions of popular apps to targeted people. The app you are downloading may be different from the app your neighbour is downloading. And the app signature will be perfectly valid for both of them. (2/3)
6
201
Danilo πŸ‡ΊπŸ‡¦
@dbrgn
Since this tweet is now on HN, some clarification: On Android, if you install an app for the first time, the OS remembers the signing certificate. Any update that is not signed by the same cert will be rejected (TOFU). The Play Store cannot circumvent this.
2
33
Daniel Micay
@DanielMicay
Replying to
@dbrgn
It can't directly circumvent it but it can do it by uninstalling the app and reinstalling it in the background since the OEMs building it into their OS grant it those privileges. Play services can backup the app data beforehand and restore it after installing the new variant.
Twitter Web App
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@dbrgn
Backup service support can be disabled but that hurts usability. It disables backups on an OS like GrapheneOS where the OS backup service is end-to-end encrypted via a seed phrase even though the implications aren't the same. There's the new device-to-device backup mode anyway.
1
Danilo πŸ‡ΊπŸ‡¦
@dbrgn
Replying to
@DanielMicay
Is that using the "android backup" mechanism, or can it actually backup all private app data? Android backup isn't used by all apps, so the user might notice.
1
Show replies