While I wait for a response from the @Android team, does anybody know what the consequences of a leaked APK signing key are?
https://developer.android.com/studio/publish/app-signing.html#considerations … indicates that code/data can be shared among apps with the same signing key, but it's not clear if that's opt-in or not.
@hanno
Is an App in the Play Store tied to a specific Google account though? That is, if I would make a malicious app update, would I need both the signing key and also the credentials to the Google account?
-
-
yeah, to deploy the new app to a device via the "normal" methods you'd have to take over the Play Store account as well. If you had some form of MITM or a sideload type situation, the signing key would be enough. which is why
@eacmen basically said "meh"Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.