Android: Google Play App Signing and Ionic?


#1

https://support.google.com/googleplay/android-developer/answer/7384423?hl=en

With Google Play App Signing, you can securely manage your app signing keys for new or existing apps. Keys are stored on the same secure infrastructure Google uses to store its own keys.

If you lose your keystore or think it may be compromised, Google Play App Signing makes it possible to request a reset to your upload key. If you’re not enrolled in Google Play App Signing and lose your keystore, you’ll need to publish a new app with a new package name.

What exactly is the benefit of using this?
Reading through the link documentation, instead of the Keystore with the App Signing Key I then have an Upload key that has to be handled exactly the same. What’s the difference?

Does anyone have any experience with this with their Ionic apps?


#2

Ok, I got it after watching the video:

Basically this makes sure that we, the developers, can fuck up and lose our Upload key. It can be replaced. The App Signing key could not be replaced. Now that Google takes care of the App Signing key, this gets easier and the security part is now with a replaceable upload key.

It also enables Google to mess with the uploaded APK (e.g. optimize app size) as “derived APKs” before signing it. Neat! (And actually the most useful change here. I am not sure how much impact this has on Ionic apps though)

Makes sense.

So, should we use it for our Ionic apps?


#3

Once you opt in you cannot opt out. Anyone knows if that would have some disadvantages, cause trouble?


#4

I can’t really think of any.

Maybe the automated messing with APKs could destroy your app somehow, but I expect this to be quite solid from Google.

But one definitely would have to try it. Will do with some demo apps in the future.


#5

Whoah, just created a new app in the Play Console and when you upload the first APK there is now a prompt for automatic app signing as well with a “Continue” button that opts in the app with one click. No way to undo. Shady, Google…

05 PM


#6

I was wondering if anyone has eventually used the “Google Play App Signing” service and if faced any issues, especially when crosswalk is enabled?


#7