Android security update
Apr 23, 2019 · 3 min read

Hi all,

After the security incident at, we have decided to publish a new Android app on the Google Play Store out of an abundance of caution.

The fresh app is still called but internally it has a different application identifier ( Because of this new id, the new app appears in Google Play as a completely different application. This also prevents an automatic update from the old to the new application.

(Google unexpectedly removed the new app from the Play Store on April 25th between 13:00 UTC and 16:00 UTC; they haven’t given us any details on why, but it’s back now. Apologies for any inconvenience).

This means that Riot/Android users who use the app from Google must make sure their encryption keys are backed up (either by manually exporting them, or by backing them up onto the server), and then manually reinstall the app. We are very sorry for the inconvenience, but we would rather be safe than sorry.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Why this change?

During the security incident on’s production infrastructure, the attacker may have had access to the key we use to sign the Riot Android app. Unfortunately, it is impossible to replace this key without replacing the application.

In future, we will be storing the signing key offline for maximum security.

The risk

If the key was compromised, the attacker could hypothetically generate a malicious version of the Riot Android app with our signature. They would not be able to publish to Google Play but they could use other channels (e.g. circulating a malicious APK file). If a user installed this compromised version, the system would replace the legacy app with it.

We have no reason to believe that this attack is happening in the wild; this measure is to prevent it from happening in future.

The old app

We made a final release 0.8.99 with 2 main changes:

  • It has been renamed to “Old”
  • There is a dialog on every startup to warn users to reinstall and migrate to the new app

You can trust this last version if you update your app from Google Play.


The F-Droid release of Riot is not affected — this only affects the Google Play Store app.

Riot iOS

The Riot iOS app is not affected.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store