androidgoogle-playkeysign

What evil happens when somebody steals my release key for android apps?


Before being able to publish an Android App on Google Play it needs to be signed with a release key. Its said to be for security. When generating the key one has to enter a password.

What is all the fuss about, here? Let me ask, what would happen if my release key got stolen/copied. Assume somebody could even manage to use that key to sign apps of him/herself. What bad would that mean?

I would argue, little to none, correct? (considering that my developer account/console credentials were not stolen too)
Maybe the biggest/ only risk would arrise if somebody elses app signed with the stolen release key would become able to more directly access data of my app (on the users devices).


Solution

  • They can grab your APK (publicly readable on all Android devices), modify it (e.g., add malware), sign it, and distribute it. Assuming that they bump the versionCode, anyone who tries installing their hacked version of your app will succeed, as from Android's standpoint, it is a valid upgrade. If the hacker can obtain your credentials for your distribution channel (e.g., compromise your Google account for the Play Store), they can ship their update to all of your users.

    Or, they can create their own separate APK and sign it with your signing key. Now, your app and theirs are signed by the same key. That opens up other attack avenues: