What reasons does it have to sign apk?

Question

I knew it's only for managing application in google play store.
But are there also other reasons to protect code from the decompiler?

I wonder what is the right answer for this question in the interview.
Anyone, who let me know the reasons why we should sign the application?

Answer 1

if you're asking why would we sign an apk, well a digital signature is a method of demonstrating the authenticity of a digital file, such as a document, message or in this case an apk, which is really just a collection of files.

so by signing an apk, we are effectively creating a way of ensuring that whoever makes use of the apk gets a verifiable copy of the file they were expecting to receive. This has obvious advantages in terms of security, as others can't make changes to this file whilst maintaining the same signature.

From the docs :

There are several reasons why you should do so:

App upgrade: When the system is installing an update to an app, it compares the certificate(s) in the new version with those in the existing version. The system allows the update if the certificates match. If you sign the new version with a different certificate, you must assign a different package name to the app—in this case, the user installs the new version as a completely new app.

App modularity: Android allows APKs signed by the same certificate to run in the same process, if the apps so request, so that the system treats them as a single app. In this way you can deploy your app in modules, and users can update each of the modules independently.

Code/data sharing through permissions: Android provides signature-based permissions enforcement, so that an app can expose functionality to another app that is signed with a specified certificate. By signing multiple APKs with the same certificate and using signature-based permissions checks, your apps can share code and data in a secure manner.

If you plan to support upgrades for an app, ensure that your app signing key has a validity period that exceeds the expected lifespan of that app. A validity period of 25 years or more is recommended. When your key's validity period expires, users will no longer be able to seamlessly upgrade to new versions of your app.

If you plan to publish your apps on Google Play, the key you use to sign your app must have a validity period ending after 22 October 2033. Google Play enforces this requirement to ensure that users can seamlessly upgrade apps when new versions are available.