SHA 1 & SHA 256 — Why? How to generate?

Kavindu Harshana
2 min readOct 27, 2023

--

Why do we use them?

In the mobile application development, SHA1 and SHA256 keys are used for security purposes. They are like digital fingerprints that are unique to your app. These keys are used for a variety of security purposes, such as:

  • Signing your app: This helps to verify that your app is authentic and has not been tampered with.
  • Authenticating your app: This allows your app to access third-party services and APIs.
  • Encrypting user data: This helps to protect user data from unauthorized access.

SHA-1 is an older code that’s not as secure as SHA-256, so it’s not recommended for new apps. But if you’re using certain Google services, like maps, you might need to use SHA-1. You can find your SHA-1 and SHA-256 keys in your Android Studio project.

⚠️ Don’t give your SHA-1 or SHA-256 keys to anyone! What could happen?

Your SHA-1 and SHA-256 keys are like the keys to your house. If someone has them, they could:

  • Sign your app with their own key. This would allow them to publish your app to the Google Play Store or other app stores, even if you don’t want them to.
  • Authenticate with third-party services and APIs on your behalf. This could allow them to access your user data or even take control of your app. 🚨

In short, giving your SHA keys to someone is a bad idea. It could give them full control over your app and your users’ data. So, just keep it secure!!🚨

To generate SHA-1 and SHA-256 keys

To generate SHA1 and SHA256 keys in Android Studio,

In summary, you can generate the keys by following these steps:

  • Open your project in Android Studio.
  • Click on the Gradle tab located on the right side of the window.
  • Navigate to your project > Tasks > android.
  • Double-click on signingReport.
  • The SHA1 and SHA256 keys will be displayed in the Run tab at the bottom of the window.

— — — — — — — — — — — — — — — — — — — — — — —

Using cmd (windows),

keytool -list -v -keystore "C:\Users\Harshana\.android\debug.keystore" -alias androiddebugkey -storepass android -keypass android

Ok ok, I’ll explain what this command does,

The command is used to list the keys in the Android debug keystore file. The keytool utility is a Java utility that can be used to manage keystores and keys.

keytool is a key and certificate management tool that comes with the Java Development Kit (JDK). This specific command is being used to list the details of a keystore file called “debug.keystore” located at “C:\Users\Harshana.android”. Harshana? Yeah, It’s my name. 😀

Why -list? -v? parameters. They have some meanings. You can just google it. androiddebugkey? The “androiddebugkey” is a pre-generated, self-signed certificate that Android Studio.

That’s all.!

--

--

Kavindu Harshana

Mobile Application Developer, Undergraduate @ University of Moratuwa