Conversation

May 14, 2021

PSA: Starting in August this year, for newly published Android apps, Google will require that *they* sign apps, not you. This means that the Android security model is fundamentally broken, because the app is signed by the distributor and not by the developer. (1/3)

269

419

Danilo

@dbrgn

May 14, 2021

This means that Google can (or can be forced to) distribute backdoored versions of popular apps to targeted people. The app you are downloading may be different from the app your neighbour is downloading. And the app signature will be perfectly valid for both of them. (2/3)

201

Danilo

@dbrgn

May 14, 2021

Note that this does not affect already published apps. However, this development is deeply troubling and disturbing. Details: android-developers.googleblog.com/2020/11/new-an (3/3)

android-developers.googleblog.com

New Android App Bundle and target API level requirements in 2021

127

Danilo

@dbrgn

May 16, 2021

Since this tweet is now on HN, some clarification: On Android, if you install an app for the first time, the OS remembers the signing certificate. Any update that is not signed by the same cert will be rejected (TOFU). The Play Store cannot circumvent this.

Replying to

It can't directly circumvent it but it can do it by uninstalling the app and reinstalling it in the background since the OEMs building it into their OS grant it those privileges. Play services can backup the app data beforehand and restore it after installing the new variant.

Replying to

and

Backup service support can be disabled but that hurts usability. It disables backups on an OS like GrapheneOS where the OS backup service is end-to-end encrypted via a seed phrase even though the implications aren't the same. There's the new device-to-device backup mode anyway.

Replying to

Is that using the "android backup" mechanism, or can it actually backup all private app data? Android backup isn't used by all apps, so the user might notice.

Daniel Micay

@DanielMicay

Replying to

@dbrgn

Using the standard backup mechanism. Apps don't have a choice about whether they support it anymore. They can still blacklist files or provide their own implementation of the backup service for themselves, so they can disable it by blacklisting files or using a no-op service.

6:33 AM · May 17, 2021Twitter Web App

Replying to

and

See developer.android.com/about/versions about further changes to backup in Android 12. It's still possible for apps to apps to exclude data but the vast majority aren't doing it in a way that disables device-to-device backups for Android 11 and especially with the upcoming Android 12.

developer.android.com

Behavior changes: Apps targeting Android 12 | Android Developers

Learn about changes in Android 12 that will affect apps when they target Android 12.

Replying to

and

A backup service built into the OS and whitelisted by it such as Play services on any device shipping it could pretend that it's a device-to-device backup when it isn't. Apps can still exclude all their data but they have to do it explicitly and can't just say no backups anymore.

Show replies