Play Store Integrity & Security

ClickClickDrone

How come Google Play is so widely recommended as the #1 choice here for security when considering it is Google who's holding the signing keys for apps and thus ultimately may push targeted malicious updates?

My threat model doesn't include Google as a major adversary really, but I do feel a bit uneasy thinking about this.

Is there anyone here knowledgeable regarding this?

NoahRaketic

ClickClickDrone How come Google Play is so widely recommended as the #1 choice here for security

It isn't. Accrescent is more secure and more strongly recommended. It uses developer-managed signing keys rather than ones managed by the service.

ClickClickDrone when considering it is Google who's holding the signing keys for apps and thus ultimately may push targeted malicious updates

This is an unfortunate aspect about the Play Store. The problem is that other alternatives have even bigger issues.

schweizer

ClickClickDrone I think you are not informed well. The apps in Playstore are signed with the developers keys. Unlike the apps in F-droid which is a single point of failure for that reason.

Play store is considered better because it prevents some threat models that could compromise the distribution of such apps. But I think this is a bit academic and overrated. Because if you are targeted by malicious DNS you have other problems as well. Using internet does require a certain level of trust. Especially in the developers of the code (OS and apps). I strongly encourage using a private DNS that you consider trustworthy. Not the DNS in a random public WLAN.

ClickClickDrone

NoahRaketic

From my research, developers can optionally opt-in to code transparency for their app bundles on Play Store which would solve the issue, perhaps...

Assuming apps do this, do you think it'd be a feasible to implement code app transparency verification inside an app à la AppVerifier?

Regarding Accrescent, I agree, but obviously the elephant in the room is the fact that they very few apps (albeit useful ones).

I am not sure if we as a community should push developers for larger open-source (or not) security apps to publish there, like Proton.

NoahRaketic

schweizer The apps in Playstore are signed with the developers keys

No, apps added to the play store since August 2021 must use keys managed by Google.
https://support.google.com/googleplay/android-developer/answer/9842756

schweizer I think you are not informed well.

You are misinforming users.

schweizer But I think this is a bit academic and overrated.

It is not academic nor overrated.

schweizer Because if you are targeted by malicious DNS you have other problems as well.

That is not the only way to get a compromised app (and in fact would not lead to receiving a compromised app in the first place if TLS is used, even without APK signature verification).

schweizer I strongly encourage using a private DNS that you consider trustworthy. Not the DNS in a random public WLAN.

This doesn't meaningfully improve security if you're already using HTTPS.

ClickClickDrone

schweizer

schweizer The apps in Playstore are signed with the developers keys.

Sadly, this is not true. See NoahRaketic's reply.

schweizer Because if you are targeted by malicious DNS

This question doesn't have anything to do with DNS...

schweizer

This is a weird discussion. There is a newer model now where the developers keys are stored at a google site but still each app is signed by the developers key. And it is for newer apps only. I may not have one single app under that system. If google would modify the apps during signing process the devs could see that, correct?

Each time I dig a bit deeper the attack vectors become a bit academic. It is not easy for google to modify a messenger to include a backdoor without getting caught. But it is not that easy either if you download an app directly from github.

So I agree with @ClickClickDrone that google is overrated.

ClickClickDrone

schweizer
Google wouldn't even need to wait until the signing process; they could just push a malicious update to targeted users.

I do agree that the risk is very theoretical, though.