https://lists.reproducible-builds.org/pipermail/rb-general/2023-January/002825.html
We already know that embedded signatures [1] pose a challenge for reproducible builds.
And it’s not too hard to imagine a program detecting which key it’s signed with and changing its behaviour based on that; which I think is inherently unavoidable.
But the Android APK Signature Scheme v2/v3 [2] actually allows embedding arbitrary data (or code) in the signing block, meaning that two APKs with the exact same valid signature – though not a bit-by-bit identical signing block – can behave differently.
I have written about my concerns [3] before, but now I’ve finally made a PoC [4] for an Android app that reads the APK Signing block of its own APK and extracts a payload to alter its behaviour.