The security of Android app updates hinges on the secrecy of a given app's signing key. It's how app updates are verified as secure, and if it falls into the wrong hands, false updates could be distributed containing nefarious changes. As a result, developers usually guard signing keys quite closely, but someone at Facebook seriously messed up. A key used by the company to digitally sign its Free Basics by Facebook app has been compromised, and third-party apps reusing the key have been spotted online.

After APK Mirror and Android Police owner Artem Russakovskii discovered the issue and reported it to Facebook, the original app listing was pulled from the Play Store and replaced with a new app using a new signing key.

Read More