Important Announcement
Friends, it seems that my digital signature has been exposed. This signature protects the app from fake and malicious updates, so there is a risk that someone may try to rele...
There’s a lot unclear, but it seems that an actual compromised update was released on official infrastructure (and subsequently removed from some devices by Play Protect). A transparency statement from the developer is still forthcoming. I’m not risking anything, not even updating to the new app, until all the dust has settled.
I’m not concerned about the app id changing after a signature leak, in fact, it’s what I’d expect. I am concerned about if the new signature is from the actual dev or not, and the dev hasn’t really said much other than they’ll release a disclosure once their new build is pushed to fdroid. It’s been pushed as far as I can tell, and it’s still been silence from them. I’d recommend not installing either app until this gets sorted out, and revoking the app’s access to your account.
There’s a lot unclear, but it seems that an actual compromised update was released on official infrastructure (and subsequently removed from some devices by Play Protect). A transparency statement from the developer is still forthcoming. I’m not risking anything, not even updating to the new app, until all the dust has settled.
The app id is being changed, so there is no way to push new updates with that signature anymore. Hence the need to re-install the app.
Also it looks like the developer is adding VirusTotal scan workflow for all new releases moving forward.
That said, I’m not familiar with the developer or the situation enough to comfortably say it’s safe.
I’m not concerned about the app id changing after a signature leak, in fact, it’s what I’d expect. I am concerned about if the new signature is from the actual dev or not, and the dev hasn’t really said much other than they’ll release a disclosure once their new build is pushed to fdroid. It’s been pushed as far as I can tell, and it’s still been silence from them. I’d recommend not installing either app until this gets sorted out, and revoking the app’s access to your account.