TravisWhitehead
commented
4 years ago It appears that Keybase does install split APKs. The paths from my phone:
$ pm path io.keybase.ossifrage
package:/data/app/io.keybase.ossifrage-sh4qPtx8RqCr-LMhEy37bg==/base.apk
package:/data/app/io.keybase.ossifrage-sh4qPtx8RqCr-LMhEy37bg==/split_config.arm64_v8a.apk
package:/data/app/io.keybase.ossifrage-sh4qPtx8RqCr-LMhEy37bg==/split_config.en.apk
package:/data/app/io.keybase.ossifrage-sh4qPtx8RqCr-LMhEy37bg==/split_config.xxhdpi.apkAlthough splits can be built using bundletool locally, I haven't found any way for developers to upload splits that they built & signed themselves to the Google Play Store. Please correct me if this is possible and I'm just failing to determine how.
If this implies that Keybase uses Android App Bundles, that means that Google possesses the private signing keys used to sign Keybase's APKs.
This is a security concern for some users.
It was speculated in another issue that Keybase may be building APKs using Android App Bundles.
The implication of this would be that Google posses the private keys that the Keybase APK is signed with. Some users may be okay with this, while others would consider this a reason to steer clear from Keybase (depending on their threat/adversary models).
Could someone from the Keybase team please let us know whether this is the case? Thanks! 😄