Overview

It was crucial to make sure the app was signed correctly after creating a new Android flavour. Since the Google Play Store would not be handling the signing of the app for me due to recent changes, I had to manage the key myself. In this article, I will go through a step-by-step guide on how I achieved this.

Why do you need to sign your app?

Android requires that all apps be digitally signed with a certificate before they can be installed. Android uses this certificate to identify the author of an app, and the certificate does not need to be signed by a certificate authority. Android apps often use self-signed certificates. The app developer holds the certificate’s private key.

The basics behind protecting your Android app is to use a generated certificate and digital “key,” which provides a unique, encrypted, and reasonably un-hackable signature. This proves that the app came from you, not some other suspicious source.

Keystores and their importance

On Android, this is done via a keystore. The keystore is a simple file with a large block of encrypted data. There are two types of keystores that you should be aware of: debug and release. Keystore files are protected by a pair of passwords: one for the keystore file itself and another for each keystore/alias pair within the file. While these passwords should ideally be unique, most developers use the same password for both.

Signing in debug vs. release mode

You can sign an app in debug or release mode. You sign your app in debug mode during development and in release mode when you are ready to distribute your app. The Android SDK generates a certificate to sign apps in debug mode. To sign apps in release mode, you need to generate your own certificate.

Generating a new Keystore

It is first necessary to generate a new keystore. You can do this by executing the command below. Be careful to change "my-key-example.keystore" and "alias_name_example" to the appropriate values for your needs.

This command creates a new keystore file with a key size of 4096 bits at the project root when executed. This helps ensure a higher level of security compared to 2048 bits. Make sure to enter a strong password when prompted. You will then be asked to enter different credentials about yourself/the company you work for.

Hooking up with services like Google APIs

To hook your app up with services like Google APIs, you'll need to print out each of your key's fingerprints and give them to the services you're using. To do that, run the command below, substituting the information in the square brackets with your specified details.

Encrypting the Keystore

My advice would be to encrypt the keystore after it has been successfully created. This helps ensure nobody can gain unwanted access to the private signing of the app. In order to encrypt and decrypt the keystore, I used OpenSSL, which supports many different cryptographic operations, particularly AES (Advanced Encryption Standard).

Once the password has been entered twice, the keystore is encrypted and the salt, key, and iv values are displayed.

• Salt is necessary to prevent pre-computation attacks.
• An IV makes the same plain text produce different cipher texts. This prevents an attacker from exploiting patterns in the plain text to garner information from a set of encrypted messages.
• Key is needed for decryption.

Decrypting the Keystore

To decrypt the encrypted keystore, you can run a command similar to the following. Be sure to replace the key value with the one you used during encryption.

Your app has now been successfully signed with an encrypted keystore after completing all these steps. If you do this manually rather than leaving it to the Google Play Store, your app will benefit from increased security and ownership.