Even worse. Many apps have google signature instead of the developers. They upload their key and give it to google. Horrible practice.
Nowadays, fdroid gravitates towards reproducible builds with the dev’s own signature and google is going the other way round. Gravitating towards an unsafe “best practice” …
Potentially, but that doesn’t really matter, as you can match the signatures of the two versions and see that they are the same. You cannot fake that and have one version have different code, it’s not possible.
Excuse my ignorance and correct me if I’m wrong
But does the play store not do some sort of scanning itself?
Even worse. Many apps have google signature instead of the developers. They upload their key and give it to google. Horrible practice. Nowadays, fdroid gravitates towards reproducible builds with the dev’s own signature and google is going the other way round. Gravitating towards an unsafe “best practice” …
Potentially, but that doesn’t really matter, as you can match the signatures of the two versions and see that they are the same. You cannot fake that and have one version have different code, it’s not possible.
Thanks for the insight :)