Google is asking developers to hand-over their App-Signing Keys: Will app creators lose ability to sign their own apps?

Google Android Play Store APK App Bundles
App developers must hand over their own keys? Pic credit: Bram.Koster/Flickr

Android app developers will soon have to hand over the keys they use to authenticate or sign their creations, to Google. The condition is part of the major evolutionary change in the way apps are distributed to Android smartphones, TVs, and other smart devices.

Starting from next month, the Google Play Store will have apps distributed through Android App Bundle. Although the delivery container is “replacing” the prevalent APK app file bundle, Google’s deployment strategy is not abandoning the former delivery format.

Android app developers must hand over app-signing keys to Google:

Changing over to App Bundles from APK might not be reason enough for developers to be concerned. However, Google is asking app creators to enroll in a scheme called Play App Signing.

The new support document for App Signing mentions: “With Play App Signing, Google manages and protects your app’s signing key for you and uses it to sign your APKs for distribution.”

Needless to mention this in direct contrast to the prevalent practice. App developers currently hold the keys to their own apps. In other words, developers can sign their apps with their own key.

Google appears to be scaring developers about keeping keys to their apps: “If you lose or misplace your key, you will not be able to publish updates to your existing app. You cannot regenerate a previously generated key. Your reputation as a developer entity depends on you securing your app signing key properly, at all times, until the key is expired.”

The new Play App Signing process, on the other hand, means agreeing to give existing keys to Google. The Android OS developers will then generate APKs, modify them, and sign them on the developer’s behalf.

Perhaps the primary benefit of the change of ownership is that Google assures it will use the same infrastructure that it uses to store its own keys. The search giant promises to use “Google’s Key Management Service” to safeguard the keys.

Google allows retaining app-signing keys but adds a few conditions:

Android app developers can retain their own app-signing keys. In other words, developers can locally store keys. However, they must send over a copy of the key to Google.

It is not immediately clear why Google is deploying such an elaborate scheme for Android apps. The prevalent APK package has worked really well for developers and Android device users.

It seems Google is safeguarding its own Android app ecosystem. This is because other competing platforms cannot use the new App Bundle.

Microsoft, in partnership with Amazon, recently confirmed Windows 11 can run Android apps. However, it is important to note that Windows 11 cannot use Android App Bundles or any Google Play Services.

This means Microsoft and Amazon will have to ensure developers create two versions of their apps. Moreover, these tech giants will have to create and deploy entire APIs that apps on Google Play Store already have access to.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x