You must log in or register to comment.
I’m having a moment - do users need to manually install the app again to receive the new version with the new digital signature associated?
Yes, exactly.
You need to manually install the new version with the new signature.
Cheers!
The title doesn’t match the facts in the announcement.
Only signature of the developer was leaked which could have lead to unsafe releases, but the point is moot as the developer is changing the signature key moving forward.
There’s a lot unclear, but it seems that an actual compromised update was released on official infrastructure (and subsequently removed from some devices by Play Protect). A transparency statement from the developer is still forthcoming. I’m not risking anything, not even updating to the new app, until all the dust has settled.
The app id is being changed, so there is no way to push new updates with that signature anymore. Hence the need to re-install the app.
Also it looks like the developer is adding VirusTotal scan workflow for all new releases moving forward.
That said, I’m not familiar with the developer or the situation enough to comfortably say it’s safe.
I edited the title to be more specific.
