Android app developers will soon have to hand over the keys they use to authenticate or sign their creations, to Google. The condition is part of the major evolutionary change in the way apps are distributed to Android smartphones, TVs, and other smart devices.
Starting from next month, the Google Play Store will have apps distributed through Android App Bundle. Although the delivery container is “replacing” the prevalent APK app file bundle, Google’s deployment strategy is not abandoning the former delivery format.
Android app developers must hand over app-signing keys to Google:
Changing over to App Bundles from APK might not be reason enough for developers to be concerned. However, Google is asking app creators to enroll in a scheme called Play App Signing.
The new support document for App Signing mentions: “With Play App Signing, Google manages and protects your app’s signing key for you and uses it to sign your APKs for distribution.”
Google sunsets the APK format for new Android apps:
A disturbing bit : "… developers will need to give Google their app signing key to export an AAB app as an APK. This gives Google quite a bit of power. The app signing key is…https://t.co/rijLjBktRr https://t.co/2ZBz71P2mD
— Kevwe Technology AB (@kevweab) July 1, 2021
Needless to mention this in direct contrast to the prevalent practice. App developers currently hold the keys to their own apps. In other words, developers can sign their apps with their own key.
Google appears to be scaring developers about keeping keys to their apps: “If you lose or misplace your key, you will not be able to publish updates to your existing app. You cannot regenerate a previously generated key. Your reputation as a developer entity depends on you securing your app signing key properly, at all times, until the key is expired.”
"Google manages and protects your app's signing key for you and uses it to sign your APKs for distribution" https://t.co/mrTUobuUVk
— The Register (@TheRegister) July 1, 2021
The new Play App Signing process, on the other hand, means agreeing to give existing keys to Google. The Android OS developers will then generate APKs, modify them, and sign them on the developer’s behalf.
Perhaps the primary benefit of the change of ownership is that Google assures it will use the same infrastructure that it uses to store its own keys. The search giant promises to use “Google’s Key Management Service” to safeguard the keys.
Google allows retaining app-signing keys but adds a few conditions:
Android app developers can retain their own app-signing keys. In other words, developers can locally store keys. However, they must send over a copy of the key to Google.
It is not immediately clear why Google is deploying such an elaborate scheme for Android apps. The prevalent APK package has worked really well for developers and Android device users.
Ask HN: Android developers, are you OK giving your signing keys to Google? https://t.co/E542gLlrUM
According to , Google is transitioning from APK format to AAB (Android App Bundle) which features Play App Signing , which, essentially, requires… https://t.co/oTD9W4TiUQ
— Chopsooy (@CholettR) July 1, 2021
It seems Google is safeguarding its own Android app ecosystem. This is because other competing platforms cannot use the new App Bundle.
This means Microsoft and Amazon will have to ensure developers create two versions of their apps. Moreover, these tech giants will have to create and deploy entire APIs that apps on Google Play Store already have access to.