8

From the Android website:

Android requires that all apps be digitally signed with a certificate before they can be installed.

The signature ensures that only the original developer can publish an update for their app. It doesn't ensure that no faked app gets delivered to the user the first place. The developer can't monitor whether google delivers "real" versions of their apks or faked ones. So the end user has to trust google. Why not completely rely on google, and remove the signature? The developer authenticates themselves to google via their google account, and therefore every app is traceable to its developer. And the path from google to the play store app can be secured through https.

user10008
  • 4,315
  • 21
  • 33

3 Answers3

6

Actually, code signing is simply a way to validate that an app came from the app store. It has nothing directly to do with who the app is from or what intent the app designers had in mind.

The issue of malware being introduced is mostly the result of it not being caught by Google's filters (see wiki for details authentication procedures).

Moreover, code signing itself isnt really enough as vulnerabilities do exist.

In addition to everything you stated, code signing also allows the developer to release updates to their app without having to 're-authenticate' themselves [fully] to Google. Being code signed also means you are (in theory) easier to physically track down in case you did upload malware, thus code signing acts like a forensic fingerprint of sorts (I am oversimplifying the issue/details).

Bottom line is the original developer can do nothing but watch and report malicious interpretations of their app (not to mention, many 'legit' apps are simply exploitable).

If you did 'completely rely on Google' that would change legal obligations and most likely drive app costs up as Google would now have to veht each app vigorously to avoid lawsuits.

Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
5

Signing applications removes the reliance on Google for anything other than providing the operating system. A user can install an apk and verify its signature, regardless of whether this apk is downloaded from Google or e.g. copied over an SD card.

Once an apk is downloaded, there is no direct way to track its origin. It's impossible to tell afterwards what URL the file was downloaded from. A signature in the apk attests to the authenticity of the file as long as the public key can be traced to the original developer.

Signing the apk does guarantee that a fake app cannot be installed unnoticed, in principle. In practice, this guarantee is moot since the identity of the signer is not provided to the user in any way that is tied to the ownership of the corresponding private key. Nonetheless, a developer can verify the authenticity of a downloaded app by comparing the apk to the version they uploaded, or more simply by verifying that the apk is correctly signed with their public key.

As for why all apk's must be signed, it's a matter of implementation simplicity: there's no need to distinguish between signed and unsigned apps. Google provides a debug key, for which the private part is included in the SDK, and anyone can create their own key pair; for security purposes an apk signed by the debug key or by an unknown key is not any more secure than it would be if it was unsigned.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
3

The user doesn't need to rely on Google. They can also use the amazon marketplace or the developer can send the .apk directly to the user.

Christian
  • 1,876
  • 1
  • 14
  • 23