[guardian-dev] Manipulating App Bundles

Mark Murphy mmurphy at commonsware.com
Wed Jun 17 17:59:44 EDT 2020


I am guessing that you have seen that Google is proposing making app bundles a requirement next year:

https://www.xda-developers.com/google-play-billing-v3-app-bundle-requirement-2021/

App Bundles, and their ties to Google's app-signing service, have never struck me as being safe. Am I missing something? If Google is capable of removing things from an app (as part slicing-and-dicing it into smaller pieces, to distribute only the necessary pieces to a user)... they should be capable of adding or changing things. Amazon used to add a DRM wrapper as part of their AppStore for Android, at least back in the day (not sure if they still do), and they controlled the signing keys.

What is stopping them from adding stuff to, say, Signal, at the behest of somebody, that sends a cleartext copy of messages to some server? Since they have lots of details of most Android users, they could only deliver the modified Signal to select users (e.g., residents of a certain country, on a certain list), rather than everyone. With developer-signed APKs, that sort of tampering should be more evident, if the developer is looking for it.

I am sincerely hoping that I'm forgetting something that prevents this.

--
Mark Murphy (a Commons Guy)
https://commonsware.com | https://github.com/commonsguy
https://commonsware.com/blog | https://twitter.com/commonsguy


More information about the guardian-dev mailing list