top | item 44215610

(no title)

petedoyle | 8 months ago

> The absolute nightmare is about giving Google the root signing key of your application

I wish more people talked about this. At Amazon, I helped with the early threat modeling around adoption of "App Signing by Google Play", which requires sending your app's root signing key to Google (and is now required, with no publicly-available opt-out for new apps.) It would have added some nice things for Android devs: app bundles, smaller downloads, instant apps, etc.

That said, we imagined the following scenario, and were unable to find a reasonable mitigation at the time:

It seems plausible the US government could send a NSL (or similar) to Google and force them to distribute modified APKs for apps like Signal (ex: to exfiltrate keys). This would be nearly impossible to detect, especially if the modified APK were distributed to only an individual user, or a small group. A few people raised concerns [1], but I don't recall Google ever giving a reasonable response.

[1] https://commonsware.com/blog/2020/09/23/uncomfortable-questi...

Edit: clarify no opt out applies to new apps

discuss

nixosbestos|8 months ago

Well, this is one of those HN comments that I will never forget. Someone wrote (and then removed after a buyer purchased it and required it's take down) a stylometry analyzer once for HN comments. A supposedly senior-y Google-r lambasted some Snowden slides commenting things were impossibly unimaginable inside Google (this was before it has done become widely accepted that internal services at such companies such of course be using some transport security). I got in some silly fight with someone ... 13+ years ago? These are specific things I remember. And now probably your comment.

I didn't trust stock Android before, and I felt the sinking-gut feeling as soon as I realized where "upload root signing key" was going, but spelling it out here puts a ... fine point on things.

Thanks for the comment.

petedoyle|8 months ago

Maybe this? https://en.wikipedia.org/wiki/MUSCULAR

codethief|8 months ago

> > The absolute nightmare is about giving Google the root signing key of your application

> It seems plausible the US government could send a NSL (or similar) to Google and force them to distribute modified APKs for apps like Signal

Since when do you have to hand over your signing keys to Google? I seem to remember the Signal devs saying that they preferred publishing their app on Google Play as opposed to F-Droid because in the former case they control the signing keys. Has this changed?

jbk|8 months ago

> Since when do you have to hand over your signing keys to Google?

Since it requires App Bundles, which is mandatory, as soon as you have Android TV support, for example.

https://android-developers.googleblog.com/2022/11/app-bundle...

See https://dev.to/npomepuy/vlc-for-android-updates-on-the-play-...

petedoyle|8 months ago

Apologies / small correction:

Apps first published to the Play store before August 2021 are not required to upload their keys [1]. This likely includes Signal.

[1] https://developer.android.com/guide/app-bundle

danhor|8 months ago

Just for completeness: For reproducable builds F-Droid can now distribute builds signed by the developer.

baobun|8 months ago

The require to get the private key? When they could ask for the cert and just cross-sign? Can't imagine any valid reason for that...

Would be nice to get a confirmation of this as it sounds wild.

ozim|8 months ago

Valid reason for them is they would have to spend money on supporting and maintaining cross signing. I can image it is much much cheaper to just store priv key.

So if they can get away with it they just do it, no one is there to stop them.

jbk|8 months ago

> Can't imagine any valid reason for that...

Depends of your paranoia level: either because laziness or because of evil intentions...