[nodamage]

> Which would give them ability to alter basically any app on the play store as they deem fit.

Google already controls the operating system, the Play Store, and the SDKs you used to develop your app in the first place. If they wanted to alter your app there is already ample opportunity to do so, what additional trust do you gain by managing your own signing key here?

[prepend]

Isn’t it simply that any changes by Google would clearly not match the developer’s signature so are evident when they are different?

[bellyfullofbac]

I don't want to defend Google here, but in theory, since Google controls the OS, it can also make it lie to you.

So you tell the OS to "show me this app's signature", and the OS can just lie and show you the expected signature. You want to copy the app to an SD card so you can check it on your Linux PC? The OS can copy the "legal" app.

Also yeah, it seems code signing won't affect anything if the OS wants to be malicious. "Super Secret Messaging App" asks the OS to load encrypt.so, its custom encryption library, and the OS can deliver a no-op library and say "Here it is!". The app wants to check the file's hash, the OS can intercept the hash method's return value and change it to the expected one...

[altfredd]

> in theory, since Google controls the OS, it can also make it lie to you

Google controls Android, but it does not control every other OS and every piece of hardware.

If someone downloads an apk with their own custom Google Play client, running on their own computer, they can check whether it was tampered with. In the past a tampered apk from Google servers would have been signed by wrong key (because the proper key is controlled by developer), pointing to Google as culprit. Now it will be signed by "developer's" key (shared with Google), creating plausible deniability for Google and US intelligence services.

> "Super Secret Messaging App" asks the OS to load encrypt.so, its custom encryption library, and the OS can deliver a no-op library and say "Here it is!". The app wants to check the file's hash, the OS can intercept the hash method's return value

This sounds extremely labor-intensive. Who will write all those no-op libraries? Who will pay for it?

[bellyfullofbac]

Yes I'm aware of why giving Google our signing keys is a stupid policy...

As to the labor and cost-intensive issue, the examples mentioned were, what if Google gives up the fight about end to end encryption under regimes that demand it (e.g. China, Australia). There's your answer of who's writing, or at least paying...

[nodamage]

If the signature does not match that tells you the app was tampered with, but the inverse is not true when your "adversary" controls the compiler, installer, and the operating system itself. Reflections on Trusting Trust (https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...) provides a good explanation as to why.