Facebook loses control of key used to sign Android app

Facebook loses control of key used to sign Android app
Image credit: source

Android apps are digitally signed by their developers. Digital signatures are created using a private cryptographic key, and the word ‘private’ means just what it says – the value of the signature depends on keeping the signing key private.

After all, if someone else gets hold of your private key then they can sign their own apps with it and pass them off as yours.

Facebook, however, is reportedly shrugging off the fact that it lost control of one of its app-signing keys and that apps signed with that same key are popping up in unofficial repositories.

The signing key that Facebook lost was apparently used to vouch for the Free Basics by Facebook app. According to Artem Russakovskii, the owner of the Android Police website and its sister site, APK Mirror, which hosts Android apps for download, third-party apps signed with that key have appeared online.

Free Basics, in case you are wondering, is part of Facebook’s 2016 plan to connect everyone on the planet, for free.