[jeeeb]

As an explanation as to why Google has gone down this design path, I think this makes sense. Basically it’s easier to maintain compatibility with existing devices this way.

From a security perspective I don’t think it makes the slightest difference. Google controls the logic that prevents updating apps with a different signing key.

There are so many conceivable ways that Google could inject arbitrary code into each process (e.g. silently cause a different “shadow” app bundle to be launched, play with LD_LIBRARY_PATH, play with the Dalvik VM, modify Java/system libraries, etc) or read processes’ memory, that it’s safe to assume that if Google wants (or is forced to) to modify your app’s behaviour or exfiltrate sensitive data from your device then it’s absolutely within their power to do that.