Exploring Google Play App Signing

When distributing our Android Applications we’ve always been required to sign our APK using a keystore for our application — this has allowed us to ensure that only the developer(s) of our app are able to upload updated APKs to the play console. However, because this keystore acts as a fingerprint to the lifecycle of our application — if anything was to happen to this then we hit a bit of a tricky situation. Because of the disadvantages that the current signing process brings, Google Play App Signing is here to help make things smoother. In this article I want to dive into this App Signing method so that we can get it integrated into our applications.

App Signing is a new process available for developers that allows us to offload the signing of our release APKs onto Google. Once we have provided the Play Console with our app signing key, we can upload our APK and Google will sign them for us prior to delivering it to our users.

Whilst the current way of signing APKs works, there are some flaws which can often bring a little bit of fear to the minds of developers:

  • If you lose your key then this prevents you from updating your application. Maybe your computer fails, your backup is lost or it is just misplaced in some way — any situation where your key is lost means you will not be able to update your application.
  • Your key could become compromised by someone with malicious intent — in this case the person with the key can update your application and because there is no way of revoking this access, there’s not too much you can do to regain access to your key.

When using Google App Signing, the huge advantage is that Google manages the signing key for our application — meaning that we can relieve the pressure of being completely responsible for our keystore. When it comes to App Signing there are two different keys that are used for the signing process:

  • App Signing Key — The key used by Google to sign the APK prior to release
  • Upload Key — A key used by the developer to upload the APK to the Play Console

As you can see, developers will still be required to keep their own copy of the Upload Key for use when uploading APKs — the difference now is that this Upload Key is not responsible for the signing of a release build, it is simply used to identify the developer who is making the upload. Because this is not a unique key used for signing the release APK of an application, it means that it can be replaced by Google at any time. So if an Upload Key is lost, compromised or should no longer have upload rights for whatever reason then Google can revoke this key and generate a new one for use.

So to sum this up, you can view the Upload Key as an authoritative key, but not a master key — it gives permission for the Developer to upload APKs to the Play Console but not distribute them, that role comes under the permissions of the App Signing Key.

If you’re uploading APKs for your application then this process is completely optional, you are welcome to continue managing your own keys — bearing in mind that you will not be able to make use of any advantages that App Signing brings. For example, if your signing key is lost or compromised then you will not longer be able to upload updated APKs for your application.

When it comes to the Android App Bundle format, App Signing is a compulsory process. This is because when it comes to App Bundles, Google Play needs to be able to sign the APKs for you before distribution — so there is no way to be able to carry out this flow when keys are managed by the developer.

Regardless of whether you’re using APKs or the App Bundle format, let’s take a look at how we can setup App Signing in our own applications.

Porting an existing app

For this example we’re going to take a look at enabled App Signing for an existing application in the Play Console. Before we get started though it is important to note that once you opt-in for App Signing you cannot switch back to manual key management — so be sure that you definitely want to make the switch before you enable it. And if you’re unsure, maybe try it out on a sample app just to be sure (that’s exactly what I did!).

To begin with, we need to navigate to the App Signing section in the console. This can be found in the Navigation Drawer under Release Management > App Signing. When you reach this page, you will be presented with the Terms of Service for App Signing that you will need to accept before you can continue.

On this screen you’ll then notice that you have three options to setup App Signing, we’ll be using the second, You haven’t exported your app signing key, option to export and upload our signing key.

Configure an app signing key

You’ll need to begin by downloading the Play Encrypt Private Key tool (in the form of a jar file) that will be used to encrypt your key before uploading. Once downloaded, you’ll see the command within the setup process that you need to run, this will look a little something like this:

java -jar pepk.jar — keystore=your.keystore — alias=your_alias— output=some_file_name —- encryptionkey=your_encryption_key

Here you’ll execute the pepk.jar file that we previously downloaded and pass some information along as arguments.

  • To begin with we must provide the path to the keystore which we wish to encrypt.
  • Next, we provide the alias which is used to access the keystore that we are encrypting.
  • We then provide a desired file name for the output argument, this will be the name of the file that is generated for us
  • Finally, the encryption key value which is provided in the code displayed by the Play Console during this process.

When you run this command you will be asked for your keystore password. Upon entering it, the app signing key will be generated and placed in the given output path. At this point you can then upload the key using the given button in the setup process.

Configure an upload key

Just before you hit the enrol button, you may notice an optional section which offers enhanced security for your application signing key — this is referring to the upload key that we previously brushed over and the keystore used to generate this. Whilst this may feel like no change from previously managing a key — the whole point of this is to allow a different key to be used for the upload process than the signing process. The upload key is not a part of the Android security model, so it cannot be used to sign APKs, only upload them.

Generating an upload key is a single step process. We can create a new keystore for our upload process, and then use the following command to generate the required pem file for upload.

keytool -export -rfc -keystore upload-keystore.jks -alias upload -file upload_certificate.pem

Once generated, you will be able to upload this file to the console where requested.

Once you’ve hit enrol, the App Signing screen will be reloaded and you will be shown the success notice for App Signing setup:

You’ll also notice here that there are a collection of fingerprints available for both the Signing and Upload certificates, available for download should they be required.

Now at any point if your upload key is lost of compromised, you can create a new Upload Key using the same steps that we carried above and contact Google through this form to provide a new upload key to be used. Note, only the account owner will be able to make this request.

Signing for new Applications

If you’re creating a new application then this whole process doesn’t apply to you, as App Signing is enabled by default for you! When visiting the App Releases section of the play console for a new application (once you’ve uploaded an APK), you’ll see the following message:

Whilst most of the work here is done for us, there’s a couple of options that we can use to configure our keys here. To begin with, if you choose not to dismiss the message using Continue, you can Opt Out of App Signing by hitting the button shown on the left hand side.

However, you also have the choice to reuse a signing key — this means that the Signing Key used by Google Play for another project of yours can also be used for this new project that you’re creating. This can however pose a security risk as if for whatever reason your account become compromised, then all of your applications that depend on the compromised key could be at risk.

In this article we’ve learnt about what App Signing is and how we can integrate it into our upload / release process. Putting this in place allows you to remove the responsibility of security from your team and let Google take care of that side of things — protecting you from losing or having your key become compromised. If you have any questions about App Signing, or experiences to share of your own then please get in touch!

Leave a Reply

Your email address will not be published. Required fields are marked *