Why Android License Verification Library doesn't verify app signing?
Steps:
- Build an APK with OBB.
- Upload APK and OBB to Google Play Console for Alpha release.
- Resign the APK and install it locally (without uploading to Google Play).
- Start the app.
If you have configured alpha-test account properly, resigned apk will download OBB from Google Play succesfully. (I am using Downloader library, which is using LVL)
IMO, it's easy for LVL to compare APK's certificate with the "true" certificate.
Google LVL is not based on App signing, because getting the signature would require code to run on the client to get the app signature, and by nature that code can be modified by an attacker.
Instead, it checks whether the user has acquired the app on the Google server side, using the Google server side store of whether the user has ever acquired the app from Google Play (where it can't be attacked).
The purpose of LVL is allow (paid) apps to see if they were acquired from Play, not to detect modification. If you want to detect modification in your app you would be better off using the Google SafetyNet attestation API