[abhayb]

Some amount of post-install runtime loading is basically necessary on Android if you're using shared native libs. Can't remember off the top of my head what needs to happen but basically every app runs into strange crashes until they start packaging their .so as a resource and then loading it in Application.onCreate. Chrome does this so it's at least de facto allowed.

Google has to allow dynamic loading at app start because of this. Or fix whatever subtle interaction between Android and an OEM's "improvements" is causing this. Not a huge step from here to getting your library from the internet instead of bundled with the app.

Not trying to justify any one app's behavior, just bringing up a fundamental reality baked into what you're saying: Apple doesn't have to deal with the gaps in its security model becoming load bearing features.

[vlovich123]

I don't follow. Google could lock this down if they wanted to. They own System.loadLibrary, dlopen, and the kernel. If they wanted to enforce that native libraries were covered by the same signature as signed the APK they could. Maybe not now that the horse has bolted.