When you use app signing by Google Play, your keys are stored on the same infrastructure that Google uses to store its own keys. Keys are protected by Google’s Key Management Service. If you want to learn about Google’s technical infrastructure, read the
Google Cloud Security Whitepapers.
Android apps are signed with a private key. To ensure that app updates are trustworthy, every private key has an associated public certificate that devices and services use to verify that the app is from a trusted source. Devices only accept updates when its signature matches the installed app’s signature. By letting Google manage your app signing key, it makes this process more secure.
Note: Using app signing by Google Play is optional. You can still upload an APK and manage your own keys instead of using an app bundle. However, if you lose your keystore or it becomes compromised, you won’t be able to update your app without publishing a new app with a new package name.