We made an attempt to use it in Android 11 (for end-to-end encrypted, non-Play backups) but it didn't really seem to exist yet at least in AOSP. I don't know how much is implemented for the stock OS. It's possible Play services has enough privileges to make it work despite that.
Conversation
Ok, let's assume Play Services replace an app on Android11 using this mechanism, and the app hasn't blacklisted its data for backup. The app icon would still disappear from your homescreen and some app settings would probably be reverted. Much more complex than pushing an update.
1
It's definitely more involved but keep in mind a bunch of core OS components are also built by Google now shipped via the Play Store via APEX components (also known as mainline modules or Google Play system update):
1
1
Android with Play is closer and closer to being Google Android instead of an OEM fork where they control everything. Of course, Android exists without Play and the CDD/CTS pass without Play services.
1
1
1
Android with Play is trending towards shipping a Google-built AOSP system image and kernel. I'm sure that's coming in the next couple of years. Mainline modules shipped via Play are already here though and include code loaded into system_server etc.
1
Ok, you've convinced me that if you're worried about backdoors from US state-level attackers, you shouldn't be using Google Play services.
However, there are other reasons why this is bad, for example this one:
1
I wouldn't necessarily say that someone with that threat model shouldn't be using Play services but by using an OS including Play they're using an OS with highly trusted core components built and shipped by Google via the Play Store.
2
1
1
For a user with Play built into the OS on a deep level, the Play Store taking over app signing doesn't really change much for them. For a user installing apps from the Play Store on an OS without Play services via an alternate client like Aurora Store, it does make a difference.
1
Either way, Play Store is trusted for an initial install of an app from it and the OS pinning / downgrade protection only kicks in afterwards. Also note that the way Google Play App Signing has always worked is that for legacy apps, they upload their existing keys to Google.
1
So, the app still appears to be signed by the developer even though it's being signed by Google because the developer chose to hand over their keys to them. This is still entirely optional, even after their announced changes since it's not being made mandatory for old apps (yet).
1
So, from my perspective, the main impact of this is that the Play Store won't be as good as a source of apps for users not using Play services. I think the impact on users who have a Play-based OS is pretty insignificant / meaningless. You can also still essentially reproduce it.
The app bundle tooling is open source and does reproducible builds. Google could have done this by having app developers generate a bunch of variants of apks, etc. from the app bundle. They chose to make it depend on Play Store App Signing instead of uploading a ton of stuff.
1
The advantage for them of tying it to Play Store App Signing is they can generate all the variants themselves and transparently add more variants over time. If the developers did it, it'd need to be limited to a reasonable set of variants and they couldn't ship more than those.