Google Play App Signing to Secure Your App Keys

A nightmare for any Android developer involves losing their app signing key or having their app signing key compromised.

Losing app signing key prevents you from updating your published app, while a compromised key allows others to potentially leverage your identity for malicious intent. Since the security provided by this signature is integrated into the android platform, once the key is lost, little can be done.

That means developers have traditionally been responsible for keeping their private signing key both safe and accessible.

But now you can let Google play sign apps and manage your keys for you in the Google Play console .

Let’s go through the app signing process with an existing app.

1. After selecting one of your apps in the Play Console app signing is available under the release management tools section.
2. After accepting the terms of service you will see the app signing page with details about how it works and instructions on how to start using with your app.
3. If you store your key in the Java Key Store, the first step is to download the PEPK tool. You use the PEPK tool along with the command given in the Play console to create an encrypted version of your signing key.

PEPK tool: Play Encrypt Private Key is a tool for exporting private keys from a Java Keystore and encrypting private keys for transfer to Google Play as part of enrolling in Google Play App Signing.

4. If you are not using the java key store then also you can encrypt your signing key from a plain text PEM file.

5. Upload the encrypted key file to Google Play using the play console.

Now that Google Play has your signing key, you have to generate a new upload key and register the public key certificate for this key with Google.

The detailed key tool command to do this can be found under the app signing page.

Upload both key file using the play console in a single transaction. After uploading the required keys and certificate click on ENROLL .

If everything is “OK” you will see a page with deployment and upload certificates and when managing your release you will see a green check on App Signing, indicating that it is enabled.

Modifications to your APK
Apps that are signed by Google will have a “derived APK ID” written into their AndroidManifest.xml file. You’ll see a meta-data element added under the application tag that references <meta-data android:name=”com.android.vending.derived.apk.id” android:value=”[ID]” />.

This ID is the identifier of the modified APK and will be reported in the usual bug reporting tools. You can use the derived APK ID to recognize a specific APK that was delivered by Play.

To download the Google Play signed APK in your Play Console, go to Release management > Artifact library.

For a new app , you can choose to have Google generate the signing key so that the process is much simpler.

It is highly recommended that you use app signing to sign new apps. After enrolling in the app signing, you will use the upload key to sign all the future updates to your app.

Google play uses the upload key to verify your identity and then will sign your app with the original app signing key. The newly signed app will be delivered to the users.

With Google Play App Signing: You sign your app with your upload key. Then, Google verifies and removes the upload key signature. Finally, Google re-signs the app with the original app signing key you provided and delivers your app to the user.

What’s new ?

You may ask but I’m still having to sign wit the key ? What happens if I loose this key or this key gets compromised ?

NO PROBLEM

We can revoke the key immediately, as it is used to verify your identity with Google, but it is not part of Android platform security model.

To have your current upload key revoked, you can contact Google play support through the we support forum here .

So when you use app signing, losing your key does not mean that you cannot update your app anymore, with a simple process you can generate a new upload key and provide it’s certificate, so you can continue updating your app.

Access the play console to enroll your application and take advantage of app signing today.

For more details checkout the official documentation .

Thanks for reading.