I seriously doubt 99% of Google Play developers worry enough that they would take the time and money to run a signing server, and that would introduce a lot of complexity for Google.
> that would introduce a lot of complexity for Google
Oh well, they're imposing it upon everyone else.
Google controls what apps are distributed and run on over 40% phones and tablets in the US.
Users deserve the right to know if what they're downloading and installing is what they're supposed to be getting. Developers deserve the right to know that what's shipping to their customers is what they intended. Billions of people are vulnerable if the Play Store's infrastructure gets, or is, compromised, or if its owners or governments decide to do something nefarious.
Users, right now, are quite happy trusting Apple (paragon of privacy and security) and F-Droid (the main opensource store) with signing their apps for them, so there doesn't seem much reason for Google to waste extra effort not following them.
What's the business reason for Google to not follow Apple in this respect?
The percent of developers is likely small, but that’s the wrong stat, as we don’t care very much about the ~90% of devs that have one or two apps with a handful of downloads. Rather, this is about attacking big targets - a small number of apps with massive numbers of downloads.
Put another way, the percent of total app installs coming from devs who have the resources to run a signing server is likely much higher.
How is an automated signing server better security anyway? Google can still sign what they want but now every dev has a missive security hole in the form a server that can sign code reachable from the open web?
Oh well, they're imposing it upon everyone else.
Google controls what apps are distributed and run on over 40% phones and tablets in the US.
Users deserve the right to know if what they're downloading and installing is what they're supposed to be getting. Developers deserve the right to know that what's shipping to their customers is what they intended. Billions of people are vulnerable if the Play Store's infrastructure gets, or is, compromised, or if its owners or governments decide to do something nefarious.