Can someone explain to me why we are still required to sign our Android apps?

With Android O, we are well into the second half of the alphabet (no pun intended) and the Android packagemanager still requires apps to be signed. Why exactly?!

Don’t tell me it is a security feature!

  • Whoever had the brilliant idea to mandate that apps need to be signed kinda forgot to establish a certificate authority to go along with it. Great! I can check if the code is signed by the certificate that accompanies it. I just can’t confirm that this certificate actually belongs to the developer in question!
  • In rare cases, a developer might use the same certificate for signing his apps and securing his website, but manually checking for a match is kinda a mood point, considering that Play does its best to hide an app’s installation file from you, isn’t it?
  • Since there is no CA, the packagemanager simply assumes that when you install an app for the first time, it’s APK file is legit and only checks if updates were signed by the same certificate. That’s acknowledging that an APK file can be hacked in transit, but somehow assuming this can’t possibly happen during the very first download!
  • Once you sign an APK, you are committed to that certificate forever (or in practical terms: 20 years, since that is the longest possible lifespan of a certificate). Hello Google! When you documented the signing process, it should have become obvious that your system is broken by design! The whole point of having a mandatory expiration date in certificates is to keep the lifespan short because private keys can leak. Forcing developers to choose between continuing to use leaked keys or being unable to update their apps makes nonsense of the whole signing thing!
  • Sure, by mandating that apps need to be signed, Google can’t be forced by governments to deliver “special version” of installed (third party) apps to “selected individuals”, but even that point is mood since they could be forced to deliver a “special version” of their own apps (including the Play client app)! The correct answer to that kind of thread would have been transport security and anonymous access!
Posted in Android, Rants, Security