This question already has answers here:
Can I use the same keystore file to sign two different applications?
(7 answers)
Closed 6 years ago.
I have 15 android apps to build and host (and update in the future).
Each app has a unique package name.
5 apps will be hosted on one google play account.
the other 10 will be on 10 individual customer accounts.
I dont want a link between the apps, and want to be able to update them seperately in the future.
Question: Can I use 1 Keystore for all? Or will I need a unique keystore for each app? Will this effect the update process in the future? Or do I just need to keep packagename the same to make sure of a successful update?
In theory, you can use the same keystore to sign all the applications. In practice, however, it would be good to use individual keystores per developer accounts. The reason being, they belong to different customers and in future, if somebody else have to update the apps (not you), then you will have to either supply the keystore to the customer or update the application by signing with a different keystore. Both of these can be problematic.
Related
Our company currently has several APPs for Android in Google Play Store, developed by different software providers.
What would be the best approach for this situation?
Having one keystore for all the APPs from our company?
Having one keystore for each provider? For each APP?
What would be the main benefits and drawbacks from each approach?
Thanks.
In my opinion having one keystore for each provider will be better approach in this situation. Afterall it is signing and instead of signing all the apps with one keystore, multiple signs will be better. However, if your company have 200 apps with 100 different provider then it would be unwise to have different keys. It is about your scale and choice. Yet, i don't think there will be so much difference between two approach.
You can use flavor for different-different app version and app.
I would STRONGLY recommend having a different certificate for each app.
I would also STRONGLY recommend using Google Play App Signing rather than signing the app yourself.
The benefits of the first case is future commercial flexibility. App developers often want to sell their app to another company, spin off a division to a separate company, or separate responsibility for app signing keys so they don't have a single point of failure. If you have a single key then:
If you sell the app to another company then you have to give them the signing key and they can sign any of your apps, thereby producing fake versions
if you want to spin out a division the same problem occurs
if you want one team to be able to sign their own app for testing, then they can sign any app for the company.
Having a separate key solves all these issues.
If you want to know why you should use Google Play app signing you should search StackOverflow for questions saying things like "help I have lost my signing key/password/had a computer stolen, what can I do?". There are hundreds of them, and the problem has hit even some of the biggest developers. If you use Google Play App Signing then Google Play will keep your key safe, and Google Play support can help you if you lose it.
To comment on the answer that cites the Android Studio page they misunderstand it. That is just about having a single signing key per app, not across apps.
There are some reasons to use the same signing key for multiple apps. On the Android system this gives the apps some abilities to trust each other in certain ways on things like RPCs, but it is very rare to need this.
This question already has answers here:
The apk must be signed with the same certificates as the previous version
(15 answers)
Closed 6 years ago.
I have read lot of similar questions but none of them answered my question
This is first time I am had uploaded an apk in google play store.
I made a mistake by uploading a developer sign key and publishing it to Alpha group.
Now I had unpublished it but it won't let me overwrite a new apk with production key.
Moreover now I can't create a new app in my profile since app with my package name already exists in play store now.
Is their something I can do now?
I really don't want to change package name, since thousands of users are already using this app from different sources. They need to get this apk with same package name and same production sign key.
Any guidance will be helpful.
Is their some way I can reach out to Google Support team?
Thanks!
EDIT: I had published it using a developer sign key we use internally for testing purpose
Unfortunately, signatures are set forever after your first publish to any channel. You'll have to create a new app with a new ID in order to get your correctly-signed app on the market.
I have a company that develops different android applications for its different customers (each of them are a different company ) but almost all apps subject are same. For example android applications for different car firm companies.
Now, the question is that: Is it recommended that I sign this applications with same key, or for each company that ask an android application I should create a different key-store?
Thanks in advance,
I'd say that the answer is no.
I had the case, where after I had developed an application with a single keystore for multiple customers, one of them asked for the key, so that they could continue the devlopment in-house. The result was a giant mess. I would not wish that upon anyone.
Seting up different keystores is not that hard, and as I see it, besides the organization advantages, there is no other reasons to sign different apps with the same key, unless you have some elaborate lock-in strategy in mind.
TL;DR - Yes, use a seperate keystore for each one of you client companies.
You can store multiple aliases (with different passwords) into a single keystore. I recommend you to read Signing Strategies.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Is it possible to decompile an Android .apk file?
I have a question about Android APK signing. Here is a scenario:
There is some App on the market. I install it on my device. Extract the APk, decompile it. Then recompile it (making whatever changes i want) , sign it using my keystore and upload it to the Market and basically spoof that App. Is there anything (apart from the App itself checking who has signed the App) stopping someone from doing this?
On the play store every app has a unique package name. So you can't upload an app with the same package name. Besides that you have to agree to Google's agreements(and uploading someones app is definitely against their agreement), so If you want to get sued by the original developer then go ahead...
I'm assuming that you are asking because you are worried about this happening to you, not that you are planning to do this to someone else's app.
You won't be able to use the same package name as an app already in the market. Someone installing your app will not lose the other one. As far as the market is concerned, they are completely different apps. They will need to be published under different publisher accounts, since they are signed by different keys.
If you want to spoof at the surface level (which is all you can do anyway), there's a much easier way. Just write an app that has the same name and description as an app on the market. Someone looking for "Goofy Game" will find your ersatz title along with the real "Goofy Game" app. Caveat emptor.
This question already has answers here:
Can I use the same keystore file to sign two different applications?
(7 answers)
Closed 6 years ago.
I have used always the same keystore and same alias key for all published app...
This is a right choice, or Should I use a different alias for each published app?
I haven't find really clear informations about the right use of keystore.
Keystore file, or signing of the apps, represent that some developer or company certify that application has been developed or verified by that particular company or developer, not the application itself.
So, as far you are developing the app, with name of your company, or yours, you should sign app with same keystore, though not mandatory.
You can use same keystore for signing multiple applications.
There is no need to create new keystore file again and again.
You can follow this for reference.
Sharing a keystore between multiple applications is a bad idea and isn't very secure.
API Consoles that use a keystore for identification can get messy.
If one app keystore is compromised, all apps are compromised