It's interesting that this is happening at the same time Apple is introducing bitcode, which similarly allows Apple to optimise the app and sign the optimised version. This makes it very hard for developers to verify that their users are receiving their apps without any added/removed functionality.
Paranoid people might suspect that this simultaneous move by Apple and Google is the result of political pressure to provide some means of adding/removing functionality, such as end-to-end encryption. Cheers, Michael On 18/05/17 09:29, Hans-Christoph Steiner wrote: > > Lol, so it turns out that F-Droid was a pioneer and innovator, years > ahead of Google ;-) > > Looks like a play to give Google more info on releases, since all > releases must go through them. It would also encourage developers to > use Google as the gatekeeper for app releases. I guess this could also > be some kind key backup. > > Anyone see anything about their motivations for doing this? I wonder > how much data they have on signing keys getting stolen and abused. > > .hc > > Nathan of Guardian: >> Just logged into Play and found this: >> https://support.google.com/googleplay/android-developer/answer/7384423 >> >> >> "Google Play >> Google Play App Signing Terms of Service >> >> Effective as of May 17th 2017 >> >> By enrolling Your application (“app”) in Google Play App Signing (GPAS) >> service, You consent to be bound by these terms, in addition to the >> existing Google Play Developer Distribution Agreement (“DDA”) and Google >> Play Developer Program Policies (collectively, the “Agreement”). If >> there is a conflict between these terms and the Agreement, these terms >> govern use of Your app in GPAS. Capitalized terms used below, but not >> defined below, have the meaning ascribed to them under the Agreement. >> >> 1. Key Generation and Storage >> >> 1.1. GPAS is an optional service that provides a secure means of >> handling Your app signing key. >> >> 1.2. By enrolling Your existing app in GPAS, You agree to give Your >> existing app’s signing key to Google and to secure or delete Your >> copy(ies) of the key. For new apps, Google will generate a new app >> signing key for Your app. >> >> 1.3. You will have the ability to download and review any APKs you >> publish that are signed by Google. >> >> 2. Automated App Optimizations >> >> 2.1. By enrolling Your app in GPAS, in addition to the license granted >> in 5.1 of the DDA, You grant Google a license to modify Your app APKs to >> optimize their performance, security and/or size, for the life of the >> app. The modifications, and the timing of which, will be made at >> Google’s sole discretion. >> >> 2.2. For the avoidance of doubt, services provided in GPAS are not >> intended to change the purpose of Your app. >> >> 3. Permanent Enrollment >> >> 3.1. It will not be possible to retrieve Your app signing key once it is >> provided to or generated by Google. >> >> 3.2. You can unpublish Your app and publish a new app with a new package >> name, without opting into GPAS, at any time. >> >> 4. Optional App Optimizations >> >> 4.1. Google may offer You app optimizations, separate from the automated >> ones referenced in Section 2, that You may choose to apply to Your apps >> enrolled in GPAS. >> >> 4.2. You are not required to accept any of these optional app >> optimizations. >> >> 4.3. If You choose to apply an optional app optimization, You can >> opt-out of any you choose at any time. >> >> 5. Changes to the Agreement >> >> 5.1. Google may make changes to these terms at any time by sending You >> reasonable notice describing the modifications made. Google also will >> post a notification on the Google Play Console describing the >> modifications made. They will become effective, and will be deemed >> accepted by You, (a) immediately for those who opt-in to GPAS after the >> notification is provided, or (b) for pre-existing GPAS users, on the >> date specified in the notice. If You do not agree with the modifications >> to the Terms, You must withdraw from GPAS, subject to Section 3, which >> will be Your sole and exclusive remedy. You agree that Your failure to >> withdraw constitutes Your agreement to the modified terms. >> >> © Google Privacy & Terms Help" >> >
0x9FC527CC.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
