←back to thread

A theoretical way to circumvent Android developer verification

(enaix.github.io)
194 points sleirsgoevy | 1 comments | 31 Oct 25 20:20 UTC | HN request time: 0s | source
Show context
VladStanimir ◴[01 Nov 25 09:31 UTC] No.45780362[source]
I am not a app developer however from what I read on the android developer site you just need to provide some form of id, the singing key and the app id.

You don't have to distribute via the app store, you dont have to get Googles permission to publish the app or have them sign it.

This looks like purely app validation, we only run apps we can prove originate from the author.

replies(2): >>45781210 #>>45783449 #
1. m-p-3 ◴[01 Nov 25 17:22 UTC] No.45783449[source]
So if Google doesn't like the app in question (such as ReVanced, NewPipe, etc), they can simply target that signing key to completely disable the app on all devices, even if it's not distributed by them.

Having the file signed by a relatively centralized authority makes it much easier for Google to gain control outside of their realm.