What Stops Google From Modifying Our APKs That It Signs Via the App Signing Service?

Question

As a follow-up to this question, I am trying to figure out what stops Google from modifying our apps that it signs and distributes. Regardless of whether we distribute an APK or an App Bundle, the App Signing service strips away whatever signature that we have and Google signs the APKs that it distributes. In the case of the App Bundle, this will result in several APKs, akin to what bundletool generates.

But since an APK is just a ZIP archive with compiled code and resources, it seems as though Google could modify that as they see fit before signing, including adding or replacing code.

Google has stated:

we don’t modify and distribute your application code without your knowledge and approval

and:

As stated before, Play will not modify the functionality of your application without your knowledge and approval.

Notably, Google used "don't" and "will not"... as opposed to "can't" and "cannot". In fact, in the same post, we see:

For apps uploaded as app bundles, we will improve this security by introducing what is called a source stamp. This source metadata is inserted into the app’s manifest by bundletool.

So, we know of at least one modification, albeit to metadata.

Plus, the Amazon AppStore for Android modifies APKs before re-signing them:

Regardless of whether you choose to apply Amazon DRM, Amazon wraps your app with code that enables the app to communicate with the Amazon Appstore client to collect analytics, evaluate and enforce program policies, and share aggregated information with you. Your app will always communicate with the Amazon Appstore client when it starts, even if you choose not to apply DRM.

Amazon removes your signature and re-signs your app with an Amazon signature that is unique to you, does not change, and is the same for all apps in your account.

Amazon has been doing this sort of thing for a decade.

It seems as though Google should have the same technical capability as does Amazon.

So, is there anything that I am missing that prevents Google from adding to or modifying the code in APKs that it re-signs and distributes?

Answer 1

Google doesn't just have the capability to modify .apk files uploaded to it's Google Play signing program- they already are.

Granted, this is at the moment a minor change and certainly a non-malicious one; but it remains an actual change of your .apk. They add

<meta-data       android:name="com.android.vending.derived.apk.id"       android:value="1" /> 

to the AndroidManifest.xml

Below is a comparison that I made in 2018 while researching this topic. It has the apk before upload (signed with upload key), and the apk as downloaded from Google Play with Google play signing enabled. As you can see from this graphic; there's only two changes- the old signing (upload key) was removed, and replaced with Google signing. And also the AndroidManifest.xml was slightly appended (with the meta-data mentioned above)

I'll also point out this Google IO video from 2017 where they're introducing Google Play signing: https://www.youtube.com/watch?v=5tdGAP927dk&feature=youtu.be. From 11:25 in they're talking about something called "App signing + optimizations". The idea was that they could optimize apks for you, and generate sub-apks. This was something that you could enable on a per-apk basis within Google Play. Today of course, you'll find no mention of any of this in any documentation, other than in this video- That's because they later came up with app bundles and essentially moved all this work into that. So, this is mostly relevant because the question was "What Stops Google From Modifying Our APKs That It Signs Via the App Signing Service?", and this shows that even specifically for .apk files they can; they intended to; and they were.

As others have pointed out; whoever has the signing keys and access to the Google Play account for the given app- can upload any .apk or .aab containing anything; as long as the packageName remains the same, and versionCode is incremented by one. The same applies of course to Google when Google Play signing is enabled. If they wanted, they could change, remove or add to any and all parts of the application.

It's worth keeping in mind that while yes; Google could modify everything and anything within the Google Play signed .apk file(s), those modifications aren't necessarily evil or with a bad intent. Whether for optimization purposes, compatibility or hot-fixing; there are plenty of reasons Google could or would modify the uploaded apk and justify those modifications. And they wouldn't necessarily warn the developers about this; nor would developers necessarily react to a discovery of this with an outcry.

I do believe that we're very unlikely to see Google perform purposely malicious content changes to uploaded apps, mostly for business, reputation and ethical risks outlined well in the other answers here already. I just can't picture this being a valuable attack vector for Google that outweighs the rather heavy cost-risk, and considering the other, often stronger vectors available to them.

Lastly, I'll mention integrity checks as one way this would be discovered. There are several solutions in this space that goes further than signature checks to verify the integrity of the app. Whether app developers roll their own, or use an off-the-shelves solution- these checks typically run during runtime on device to verify the integrity of the apk; comparing against records taken during compile-time or near compile-time. Modifications performed to the apk during transit does get picked up by this, including whatever change Google Play might do.

Disclaimer: I work for a app-security company that performs such integrity checks (any many other checks and verifications) on the apps that we protect. We've had to map out and account for all changes Google Play might do to an app both for regular apk files and app bundles- so we can distinguish between Google Play doing optimizations and a malicious actor repackaging the app.