15 votes

Why Google Play’s APK replacement is scaring some security experts

4 comments

  1. Octofox
    Link
    This feels like a change which was entirely well intentioned and in the users best interest. App sizes are getting unmanageable and this is a great way to cut size without affecting users. And the...

    This feels like a change which was entirely well intentioned and in the users best interest. App sizes are getting unmanageable and this is a great way to cut size without affecting users. And the whole key thing is a requirement to dynamically build the APKs. The Android APK key system is an oddity in the first place. Normally the packages are signed by the OS vendor as they are the highest level of trust. Google does not need to modify APKs since they could just make any changes at the OS level.

    The inability to archive apps is a real loss but I very much doubt this is googles crackdown on copying and just an unintended side effect.

    7 votes
  2. [3]
    skybrian
    Link
    You might compare with Linux distros that normally build apps from source, with their own distro-specific patches and using different versions of the libraries they depend on. This works as long...

    You might compare with Linux distros that normally build apps from source, with their own distro-specific patches and using different versions of the libraries they depend on. This works as long as the distro is trusted, but sometimes open source maintainers will complain that distros introduce bugs with their patches.

    Or you might compare with Microsoft putting app-specific workarounds into Windows to keep apps that have bugs running in a new OS release. If they distributed the apps through their store, maybe they could fix the bug instead?

    3 votes
    1. [2]
      Octofox
      Link Parent
      If the distro is not trusted, it's all over. The OS is the highest trust level (excluding hardware backdoors in the CPU). If you do not trust google to not add malware to packages then you should...

      This works as long as the distro is trusted

      If the distro is not trusted, it's all over. The OS is the highest trust level (excluding hardware backdoors in the CPU). If you do not trust google to not add malware to packages then you should not be using Android at all.

      1 vote
      1. skybrian
        Link Parent
        In one sense that's true, but trust is a bit more complicated than that. For example, you might trust a distro not to deliberately add malware, but they might still make mistakes, and their...

        In one sense that's true, but trust is a bit more complicated than that. For example, you might trust a distro not to deliberately add malware, but they might still make mistakes, and their mistakes could be exploited.

        Most programs bundled by a distro don't run as root. Google tries to keep malware out of the Play Store, but some programs slip through.

        2 votes