back to article Android devs prepare to hand over app-signing keys to Google from August

Google will require mobile developers to use an Android App Bundle for submitting applications to its Play Store from August 2021, optimising distribution and also requiring Google to hold the developer's private signing key. Dom Elliott, Google Play product manager said that from next month: "This will replace the APK as the …

  1. elsergiovolador Silver badge

    End of privacy

    So it appears that this is the way governments are going to tackle the end to end encryption problem.

    Now the target of surveillance will have a Play Store update waiting for them to install a special version of Telegram or Signal and it will be signed with the developer key.

    Well played, well played.

    > Google also has an optional feature intended to reassure developers, called Code transparency for app bundles. This uses a second signing key, held only by the developer, and can be used to verify that the APK delivered by the Play Store matches what the developer built, _subject to some limitations_.

    Of course :-)

    1. Khaptain Silver badge

      Re: End of privacy

      One key for the Application.

      One key for the Encryption.

      It's only the application key that they are asking for.....;-).

      1. Gene Cash Silver badge

        Re: End of privacy

        Sure, and the application key gives them the power to compile whatever the hell they want and call it your app.

        If they want to pull a Sourceforge style stunt and add advertising, they can do that. If they want to weaken any encryption, they can do that. If they want to install something that pops up a flag when certain people use the app, they can do that.

        1. Anonymous Coward
          Anonymous Coward

          Re: End of privacy

          "...they can will...they can will...they can will"

          FTFY

          Hey friends!! Welcome to the new USA government surveillance program!! Courtesy of Google!! Please hand over your keys, we got you from here.

          In all seriousness, the USA gov. was probably already hijacking the keys, but that pesky word "illegal" was problematic... not anymore.

      2. Dante Alighieri Bronze badge
        Black Helicopters

        Bilbo Baggins

        ...and in the Darkness bind them

    2. You aint sin me, roit Silver badge

      Limitations...

      To be fair to Google (!), it does seem that they are technical limitations, such as being unable to guarantee shared library code.

      But you can't trust an organization that is prepared to let Google sign on their behalf. Non-repudiation is a central tenet of digital signatures.

      I want to see app devs boast about 'code transparency". Indeed it would be good to see devs implementing their own internal authentication mechanisms...

    3. NoneSuch Silver badge
      Facepalm

      Re: End of privacy

      It's also going to screw over people like myself who need the APK's because geo locks do not allow certain apps to run in my country.

      As one example, buy an iRobot vacuum, first thing you get out of the box is instructions on how to program it with the Google Play App, which is geolocked. (Running a robot vacuum beyond the US / Canada / UK borders is a direct threat to national security or something.) They don't tell you that when you buy it and the single reference to it is buried deep in their support site. Makes your $1,000 purchase a brick unless you can grab the APK and manually install it, avoiding Google Play completely.

      1. tekHedd

        Re: End of privacy

        And it's not great for people like me who don't have Play Store or any Google apps at all on their phones. At this time I can still transfer some apps over from my "google store" phone. They must hate that. Of course now that the apps will be "compiled for specific hardware" this won't work any more.

        They hate that people can use Android without Google. They hate it so bad.

    4. Khaptain Silver badge

      Re: End of privacy

      Google also has an optional feature intended to reassure developers, called Code transparency for app bundles. This uses a second signing key, held only by the developer, and can be used to verify that the APK delivered by the Play Store matches what the developer built, subject to some limitations.

      1. doublelayer Silver badge

        Re: End of privacy

        Yeah, we got that when we read it. A thing few will use which isn't checked by anything and can be forged. Really great answer to the nonexistent problem.

  2. Anonymous Coward
    Anonymous Coward

    On to F-Droid

    Well, I've been putting off moving to F-Droid long enough... guess I better get off my butt.

    1. karlkarl Silver badge

      Re: On to F-Droid

      Why not just host packages on your own sales page (or, if open-source, github) like... well, proper modern software?

      I never quite understood why app developers flocked to Google Play so easily. I even fell for it for a while until I started to realize that it was providing a worse experience for my users.

      1. Gene Cash Silver badge

        Re: On to F-Droid

        Because Google Play is "the place" to distribute your apps. It's the only place where the phone doesn't throw a shit-fit and make you jump through half a dozen hoops when you try to install something.

        At least it's not as bad as Apple, where you have to jailbreak the phone to install from anywhere other than the Apple App Store.

        Because phone apps aren't really proper modern software. For Android, I'm stuck using their IDE (which isn't bad, but that's beside the point) and I have a choice of 2 languages (Java or Kotlin) or the pain of writing a C library.

        F-Droid is basically a github for Android. They package your app and set things up so the phone can easily download and install it.

        1. tekHedd

          " half a dozen hoops"

          Spoken like someone who's never used F-Droid. Android apps are (were) just APKs and run exactly the same no matter where you get them from, except for the signing and google's highly intrusive, battery draining telemetry.

          1. doublelayer Silver badge

            Re: " half a dozen hoops"

            I think you agree more than you think. F-Droid is a solution to some of the annoying things Android tries to do when not using Google Play. Not all of them, because the Play store has extended itself through security layers and F-Droid can't (and wouldn't anyway). Sideloading apps frequently can make Android or rather the Googly bits of it annoyed. Security warning screens are required for various actions, the Play Protect system may flag them for you, and in order to use any other store, you have to sideload at least once.

            That's why F-Droid is so useful, as it can get around some of that by installing the apps itself. It can't do everything, for example it has to present a confirmation screen for every app update whereas Play doesn't, but it's a lot easier for the nontechnical user than installing APKs without it.

      2. doublelayer Silver badge

        Re: On to F-Droid

        "Why not just host packages on your own sales page (or, if open-source, github) like... well, proper modern software?"

        Most F-Droid applications are on Github. Their source is available from the publisher and cached by F-Droid. So they're already doing that. They use F-Droid rather than just hosting APKs because F-Droid means people can get updates in a more organized manner than trying to have an app update itself or just hoping users go install them by downloading a new APK. It also makes apps easier to find, since you can search a catalog of all the things people built with the users' interests in mind. Why not use that if it's already there?

      3. Trollslayer

        Re: On to F-Droid

        I worked for a company that does that because they produce customised Android products and their apps only work on their hardware for various reasons.

        As to consumers, they aren't bothered much.

  3. David Austin

    None of this sounds like a good idea

    Literally handing the keys to the kingdom over. For what? The ability to make dynamic apk's, making app archiving even harder than it currently is, and non-install trial versions, in a world where data and bandwidth are just going up.

    Looks more like (Yet Another) Google power grab from here.

    1. iron Silver badge

      Re: None of this sounds like a good idea

      Fortunately all of what you said is wrong.

      AABs mean smaller download sizes for ALL users so data and bandwidth are saved for everyone. All my apps had download sizes reduced by over 50% when I moved to AAB distribution last year and none of them use optional features or trial versions.

      With the old APK you are downloading language files for languages you don't understand, files for resolutions your device doesn't support and potentially ABIs for an entirely different chip architecture. With AAB the dev uploads all these things in a single AAB, Google then splits it apart into individual APKs for each language, resolution, ABI, etc and only serves the user exactly what they need. So you don't get x86 code on your ARM phone or resources for 50 languages when you only speak one. It really is a good thing.

      1. doublelayer Silver badge

        Re: None of this sounds like a good idea

        Wrong, were they? Let's look at what they said and whether you were able to disprove it.

        "Literally handing the keys to the kingdom over.": You didn't take this part. We'll skip it.

        "For what? The ability to make dynamic apk's, making app archiving even harder than it currently is,": You didn't argue this one either. It looks correct though. If you can only get one version of the package per device, backing up anything is a lot weirder than it used to be.

        "and non-install trial versions, in a world where data and bandwidth are just going up.": You've countered with reduced package size, which is true, but they were talking about the trial versions which you aren't using. I don't know how this trial system works, but I believe they're correct to assume they will use more bandwidth if they're downloaded every time they're needed.

        Your score: 1 point somewhat rebutted though in a different area, 2 points ignored

      2. heyrick Silver badge

        Re: None of this sounds like a good idea

        "or resources for 50 languages when you only speak one"

        I'm a Brit living in France. My phone/tablet is set to British English. Given Google's performance elsewhere (I see your browser specifies en and en-gb but your IP address is in France donc voilà nous vous parlons en française), I don't hold out much hope. I can cope with French, but that's really not the point.

  4. 2+2=5 Silver badge
    Joke

    Dear Valued Android Developer...

    Dear Valued Android Developer,

    We've analysed your app $app-name to see how well it shows adverts to your users. We feel that your current advert display rate of 0 is a little below what our extensive market research has shown to be optimal, which is 15,000 per second per user. We've taken the opportunity to amend your code and have re-signed and re-released $app-name for you.

    To give your users a chance to fully appreciate the benefits of the new version, we've also locked the app against further changes for 28 days. If you wish to make any changes you'll need to wait for the lock period to expire.

    Google Developer Support Program

  5. Anonymous Coward
    Anonymous Coward

    Customer Unification and Networking Team at it again

    Looks like Google's CUNT (Customer Unification and Networking Team) is hard at work again thinking of fresh ways to shaft their users.

    1. Anonymous Coward
      Anonymous Coward

      Re: Customer Unification and Networking Team at it again

      Surely, since they are indeed shafting their users (and developers), they would have to be the Product Enhancement and Networked Interrogation Services team?

      1. adam 40 Silver badge

        Re: Customer Unification and Networking Team at it again

        Either way. they'll have to get it past the department in between those two, the Product Evaluation Resource Integration and Network Engineering Upgrade Middleware team?

      2. Zarno Bronze badge
        Trollface

        Re: Customer Unification and Networking Team at it again

        I'm thinking both are part of "Technology Wise Advanced Threat Watch And Future Fulfillment Legal Enforcement Services"

  6. pip25
    Unhappy

    I migrate my APKs between phones

    But if the binaries I get are "optimized for my device" from here on, then I guess that's the end of that. Thank you so much, Google.

    1. DS999 Silver badge

      Re: I migrate my APKs between phones

      Copying APKs around messing up Google's metrics about the number of devices apps are installed on, they obviously don't want you doing that!

      The "optimization" for your device may include assigning a UUID to each install which would only be possible if they get full control over the install process. They would of course claim those UUIDs are not a violation of privacy because they aren't sharing that with third parties. Just using it to allow those third parties to more profitably (for Google) sling advertisements at you!

  7. Mike 137 Silver badge

    Losses accumulate

    "it will receive an APK optimised for the device rather than a universal APK prepared by the developer."

    Not only loss of control over signing - now we've lost control over the code as well.

    Why doesn't Goooooooooooooooooooooooogle just create all the apps itself? Lack of talent? Shhhhhhhhhhhhhhhhhhhhh!!

    1. elsergiovolador Silver badge

      Re: Losses accumulate

      > Lack of talent? Shhhhhhhhhhhhhhhhhhhhh!!

      You know they'd have to pay those pesky salaries, because you cannot exactly manipulate developers into writing open source code for free that only you will profit from.

  8. Claptrap314 Silver badge
    Unhappy

    At least with Apple

    they are up front that you are working for them. My staying away from smart phones entirely is looking more forward-looking all the time...

  9. RancidRodent

    All part of the great reset.

    You will no longer be able to create a genuinely secure app - Google are just following Apple where not only do they hold the keys - they decide which apps are allowed based on the political narrative. The banning of the installation of Android apps offline will be next so apps cannot be shared once they’ve been put on the naughty step.

    The internet was originally sold as the people’s platform to access to the world free of national political boundaries – now it’s the primary tool that will be used to trap, tag, track and control us by an unelected global political elite and their bought-up establishment puppets.

    1. heyrick Silver badge

      Re: All part of the great reset.

      "trap, tag, track and control us by an unelected global political elite and their bought-up establishment puppets"

      Your narrative is slightly wrong. The megacorps don't actually give even half of an inkling of a shit about any of us. We're just a big set of data points to be analysed for the purposes of "adding value" for flinging adverts. Because (for some reason I don't understand) trying to flog shit to people who mostly aren't interested is a gold mine. Money for relatively nothing, and their chicks for free.

      The political elite are trying to get in on the game because they can. Because they see massive wealth being generated from mountains of bollocks and they want a piece of that. But the political elite aren't going to get very far because they want the coin, not the hassles and expenditure of making the infrastructure to harvest all this information. The political elite don't give a shit about you either. They just want to line their pockets a little more, and maybe nudge public opinion slightly so their gerrymandering (that far predates the internet) isn't so obvious.

      In short, nobody cares about you (or me). You aren't special (me neither). They just want even more money, and this seems to be a winner right now...

      1. YetAnotherJoeBlow Bronze badge
        Thumb Up

        Re: All part of the great reset.

        Upvote for Dire Straits reference.

  10. Whitter
    Flame

    Closest icon to a flamey eye

    One key to rule them all

    One key to find them

    One key to bring them all

    And in the darkness bind them

  11. OnTheMark
    FAIL

    Monumentally F'd Up

    This is a monumentally f'd up idea.

    If Google wants to sign Android apps, it may as well sign them with its own private key. Holding developer private keys and using those to sign apps provides absolutely zero assurance beyond signing the apps with their own key to start with.

    The only real benefit of holding the developer private keys seems to be the ability to tamper with files and then pass them off as authentic. If they want to be able to rebundle apps on a per device basis, they should really have the developer sign the individual files and then Google can then sign the APK with their own key. At least that way, end users would have the ability to check that the individual files haven't been tampered with since they left the developer.

    Of course, in the event that Uncle Sam wanted to spy on an individual device/user, they could just have Google send out a Google Play update to just that device with whatever rootkit Uncle Sam desired, so this doesn't really change all that much other than possibly hiding a rootkit/other nastyware a little bit better.

  12. elregidente

    This fundamentally and profoundly undercuts Android security.

    This seems like a staggeringly and terrifyinglly bad idea : that Google, or whichever State puts pressure on Google, can silently replace the content of any package, right?

    I'll be okay, I am fairly soon moving away from Android, to a LIbrem, which will run actual Linux, but this seems a vast and profound loss of security, in exchange for - just what we need - even *more* surveillance.

    You can have security, or you can have surveillance; if you have surveillance though, you have to give up security.

  13. YetAnotherJoeBlow Bronze badge

    Suppose...

    Lets say that you release a GPL'd APK. So Google then makes its mods and resigns the APK. Customer then downloads a binary. Where is the source code for Google's mod?

  14. bazza Silver badge

    Huh?

    From the article

    Google has said: "Your keys are stored on the same infrastructure that Google uses to store its own keys. Keys are protected by Google's Key Management Service."

    Oh goodie. How reassuring...

    I have no doubt that Google do an awful lot to ensure the security of such things, and they are probably reasonably competent at it. But is does smell a bit like every single damned egg in one basket, well padded basket it may be... Can you just imagine the mayhem if someone got inside that.

    Surely a better way would be to have an interface where the developer holds the keys and provides them to Google as required, to get the same end result. That might be a busy interface, but it leaves the control in the hands of the developer.

    1. Aitor 1 Silver badge

      Re: Huh?

      This is therefore, mostly for them to be able to spy on you, as requested by the governments.

      It will have some advantages as they state, but I don't trust them really.

    2. Anonymous Coward
      Anonymous Coward

      Re: Huh?

      Ah but then they run the risk of developers blowing whistles.

  15. RyokuMas Silver badge
    Facepalm

    Remind me again...

    So let me get this straight... one of the main beefs that Android owners have about Apple is their walled garden approach...?

    1. heyrick Silver badge

      Re: Remind me again...

      Ah, but for the moment (fingers crossed), it is possible to grab an apk from a third party site and install it on your device.

      That's never been possible with the likes of iOS.

      And don't think Android users are going to be happy with this. I'm not. It will make backing up apps harder. It'll make sharing apks between devices harder (if not impossible). And it destroys any trust one might have in a developer because there's now a third party who can fiddle with the app and sign it in the developer's name.

  16. TeeCee Gold badge
    Meh

    That process in full:

    1) Code tight, lean app.

    2) Hand to Google.

    3) Magic Googly encruftulation.

    4) APK of massive bloatware.

    5) End user buys new phone with more memory / processor / storage.

  17. heyrick Silver badge
    WTF?

    WTactualF?

    For a company that was pushing so hard to get everybody to https to secure the web, I can't believe that they don't seem to think anything is wrong with "hey Devs, give us your keys so we can mess with your app and pass it off as your own".

    For a company that lets Google Play Services update stuff (including itself) whenever the hell it pleases, this whole "saving bandwidth" thing stinks.

    And no, don't give me some shit about messages in different languages and the like. If you have the Google News app, go look and see how many hundreds of megabytes it is eating up in cache that it seems unable to sensibly auto tidy.

    The whole thing stinks. Do they really think we're that stupid?

    1. Missing Semicolon Silver badge

      Re: WTactualF?

      Yep, they do. Or, as there is no choice, they don't give a damn.

  18. Anonymous Coward
    Anonymous Coward

    Existing apps get a grandfather clause

    For now at least: Google blog says NEW apps will be required to hand over their keys in August, but existing apps will not. (Can this be put in the article?)

    I haven't been able to find any published timetable for how long they'll let older apps keep their keys. I for one plan to keep my keys as long as possible, and then put out a "final" Google Play version just before the deadline. Guess that means I should get some bugs fixed....

  19. Anonymous Coward
    Anonymous Coward

    This signing system is also used for APKs

    We already use this system for APK files, but we've never thought that the signing key that Google hold is 'our' key, it's clearly Google's key.

    We have a totally different key (which is 'our' key) that we use to sign the APKs for different stores/our website.

    The only thing the Google Play Store key guarantees is that you downloaded the app from the Google Play Store.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021