[jayd16]

This solution is backwards compatible. Changing the installation verification process is not.

[pas]

Why? They control the Play app itself anyway. Isn't verification done by the privileged "Google Play Services" special background service? Which is basically the userspace, which is where Google pushes security updates (because carriers and phone makers don't).

[jayd16]

Signatures are verified at the OS level, outside the playstore. Even if you side load apps, signatures are checked for consistency.

[remram]

I'm not suggesting we remove signing, just that Google use their own signing key for apps they build.

[jayd16]

That won't work. For google to take over the signing of existing apps they need the existing keys.

[remram]

I see, so the limitation is that app updates have to keep using the same key, and that's enforced by the OS? Couldn't the Play Store uninstall then reinstall in that situation, to update to the new key?

[jayd16]

That would delete any local files the app might have written, save files, that sort of thing.

[UncleMeat]

Yes, but that destroys cached and local data and isn’t compatible with built in apps using the same package name.

[codeflo]

So Google’s inability to update Android causes them to compromise on its security?

[jayd16]

Google imposing their own root keys on every device seems like a much much bigger overreach than wanting to repackage apps in their store.

[remram]

Is it? They control the store, which can install apps remotely, and most developers are handing them their private keys for convenience. You also have to trust that Google gave you the right one every time you install a new app.

What is the practical advantage of having apps signed by long-lived keys that were handed to Google without your knowledge over a Google key bundled with the store?

Either way, you keep the same option of installing an alternate store like F-Droid or downloading APKs if you don't trust Google.