Just came accross a banking app that is delivered as a split APK. Seriously?! Shit for brains? Slept through cryptography 101?
If your app must communicate over an encrypted channel, then you must NOT use the split APK format. The very fact that Play asks you for your signing (=private) key should ring a bell.
Why do smartphones have fingerprint sensors?
The three golden rules for password management are:
You always “write down” your fingerprints when touching a smooth surface. You can never change them and you (usually) have only 10 of them to begin with. Fingerprints violate all of the above rules, making them completely unfit for being used as password replacements. Smartphone manufacturers know that, but build fingerprint sensors into their devices nonetheless. Why? Because the point is not to actually protect anything on your phone, but to give you the illusion that only you can access it. Otherwise you wouldn’t trust it with your personal data.
Fingerprint sensors are not a security feature. They are simply part of the sales pitch.
Publishing on Google Play requires you to publish a contact email address as well. Publishing a contact address means you get spam mail. The spam you get via the Play contact address is scary.