I had someone develop an app for my nonprofit, and was about to publish the apk in the Developer Console. I realized that it needs a "release" signature by the developer. This, of course, entails key generation on the developer's part. Any recommendation on how I should publish the app under my name and my nonprofit's name?
I have paid for the app itself to be developed, and this may be a one-off scenario with this developer, but I want a key that I can use to update the app in the future using other developers.
And guidance would be great. Thank you.
You need to generate a key yourself. The key generator of Android Studio is perfectly fine.
Then you should compile the source yourself using the key you just generated.
Alternatively you can send the key to your developers. But unless there is a good reason I wouldn't do that because it eases identitiy theft.
Related
I have Android application on Play Store and build backend using Ruby on Rails. but some people are making an exact copy of my application using reverse engineering and they are using my APIs. how can I add authentication in my API so that I can prevent access to those applications which are copied form my application. I have implemented basic token authentication in which I am sending token to my APIs from Android app.
You have to know that android apps are identified by their Digital signature and package name, you have to sign your package.
https://developer.android.com/studio/publish/app-signing
Even if you Sign your app, decompilation is feasible. you may add extra level of security with will provide by obfuscation tools the well-known of which is Proguard.
It seams you didn't obfuscate your app which results code readability after Decompilation. The paid solution is using Dexguard, which uses Proguard with additional level of encryption. Both are products of Guardsquare.
To get familiar with such tools refer to Guardsquare user-manual:
https://www.guardsquare.com/
I'm not an Android expert, but I am a Rails expert. That said, I don't think Rails API security will help you here. If they decompiled your Android app, they'll just do it again when you release a new version and get whatever authentication scheme you implemented too.
Sorry.
I want to publish my application (which is not free) in android market with my own key. I got my encrypted key, but I don’t know where do I need to write this key? In which file I need to write this key?
I read the dev Guide documentation of android and I also searched by myself but I don’t understand and I couldn’t find the solution.
You only need the key if you have implemented licensing (http://developer.android.com/guide/publishing/licensing.html)
folks! I have problems with all that 'signing' stuff. I've followed instructions from developer site and signed my app using Eclipse ADT plugin. I've created keystore, filled information. But I dont't understand following thing: do I need to create separate keystore for every app?
No. You sign all of your apps with the same key.
well... if you ever think there is even a remote possibility of selling any individual apps, you should use a different key for each app and keep them separate. here is the rationale for this:
http://phandroid.com/2012/06/21/getting-acquired-how-to-transfer-ownership-of-your-android-app-or-game/
I have an app on the Android Market, and recently I was made aware that another publisher had uploaded it under a different name, and was giving it away for free.
I've never uploaded an apk that wasn't signed correctly in the official Google manner. What I'd like to know is, is code signing intended to prevent this kind of thing happening?
Can someone remove the license and add their own? Is this easy to do?
They'd have to do more than just take your APK and upload it under their account. The namespace which you create is unique to your application. So, at a minimum they've reverse engineered some of your code.
As long as somebody is able to pull your apk off of their device and re-package it, nothing can really stop them from uploading it to the market on their own. Report it to Google and you may want to look into using the licensing service.
There is nothing preventing someone from doing this. All code signing does is ensure your application has not been modified from the version you published. i.e. a modified version cannot be installed on top of an unmodified version. If your app has simply been republished without modification, it is no different from your own version. Only the distribution source has changed.
You will need to implement some kind of licensing to prevent piracy. Android code signing is not like iOS code signing (where apps on the store as actually signed by Apple, not just you).
My company is attempting to publish its first Android app on the market, and we have gotten to the code signing step. We have keys that we use for our other products and use the windows codesign tools to sign our products. We would like to use the same key to sign the Android app, but (obviously) cannot use the windows signing tool (because it only signs .dll's and .exe's)
Does anyone know how to sign an android app using existing keys? (.spc and .pvk files)
Thanks in advance.
You can try converting the PVK into something for the Java keystore. The odds of the resulting key being something the Android Market will accept is low -- for example, the Android Market requires the key to be good for at least 25 years, that you will use the same key for the entire lifetime of your app, etc.
Since the Android key can be self-signed, you are not saving any money this way and are only wasting time and increasing risk, IMHO.