While you might file this one under "really? We weren't doing this already?" if you're a security expert, Google has added stricter validation of APKs in Android "M" that should prevent what I guess you could call tinkering by omission.
Previously, APK validation checks looked at the SHA-1 signature for every file in said APK against those stored in the app's manifest.mf file, which is automatically generated during the signing process. If any of the files were modified, the APK would fail validation, and then fail to install or launch. This is an obvious security measure, designed to prevent people from loading up malicious software or otherwise doing nefarious things with legitimate APKs.Read More