Image for post
Image for post

Answers to common questions about Play App Signing

Wojtek Kaliciński
May 7, 2020 · 12 min read

Android apps are cryptographically signed by the developer. This allows the package manager on the user’s device to verify that every app update comes from the same source and that it hasn’t been tampered with. Google Play also enforces this signature check when you upload your APK to the Google Play Console, so that even if someone had your login credentials it would be impossible to send a malicious update without also having access to your private key.

Historically, developers were responsible for generating their own private keys and keeping them safe throughout the application’s lifetime. While this offered a lot of flexibility, it was also prone to mistakes: generating weak keys, accidentally checking in your private key to a public repository or even losing it altogether are just a few common ones that happen routinely even to seasoned developers.

Nowadays developers have a compelling alternative to managing keys themselves: Play App Signing, in which the upload key (the one you use to upload your artifacts to Google Play) and the app signing key (the one used to sign APKs distributed to devices) can be separate, and the app signing key is stored securely on Google’s infrastructure.

Even though many other popular platforms treat distribution keys this way, for many developers it’s a departure from the previous Android signing model, and some developers may feel like they’re giving up too much control over their apps.

That’s why, I want to dispel some common misconceptions about Play App Signing, as well as give guidance on specific scenarios that you might encounter.

This advice is based on questions our Developer Relations team has heard from developers at conferences, in online forums and our 1:1 chats.

Let’s start with the most compelling reason to switch to Play App Signing:

1. I’ve lost the key used for signing release artifacts that I upload to Google Play. What are my options?

Without Play App Signing: Without the app signing key,
there’s nothing you or Google can do to continue updating your app due to security protections built into Android. Your only option is to
create a new store listing with a new package name and start from scratch.

With Play App Signing: You can request a new upload key. Play will be able to continue signing your app updates with the app signing key, which is securely stored by Google.

If I were to name one reason that speaks for the adoption of app signing, it would be the one above. But before we go further and talk about specific scenarios that app signing can help you remediate (there are more!), let’s pause to answer a meta-question first:

2. Why does Google want developers to switch to Play App Signing?

Google Play’s first priority is to build a trusted, safe, and secure platform for billions of users and millions of developers for many years into the future.

The sustainability and success of the ecosystem depends on this. Most developers cannot match the level of security that Google can offer.

The new app model, where Play ingests publishing artifacts and generates signed artifacts is designed to minimize the surfaces where the signing keys could be exposed. It is not only secure, but also more efficient, and future-looking with benefits for end-users and developers alike.

For example, a number of apps currently on the Play Store still haven’t adopted the more secure v2 signing scheme. Once enrolled into Play App Signing, apps benefit from the new protections and future enhancements automatically, without developer work required.

And finally, separating the publishing format (using Android App Bundles) from the serving format (split APKs) unlocks benefits for developers and users alike: from increased security, to optimization, reduced complexity and fragmentation. In order to do this, however, Play must have the ability to sign the serving artifacts.

Some examples of features available right now are automatic size optimizations for app delivery, as well as new customizable delivery options for modules in your app.

More importantly, it gives us a way to evolve and improve the delivery mechanisms in the future, while ensuring the trust and safety of the distributed artifacts.

Even though we continue to improve our serving stack, we don’t modify and distribute your application code without your knowledge and approval, and the new optimizations Play performs are available for your inspection in the open source bundletool. Later in this FAQ I discuss some of the metadata (metadata which doesn’t impact how your app works) differences you might see between artifacts downloaded from Play and generated locally.

3. My app signing key was generated many years ago and I’m afraid its cryptographic strength no longer meets today’s standards or I believe that my app signing key has leaked. What can I do to upgrade?

Without Play App Signing: As previously mentioned, you cannot simply switch to a new key, as that would mean your existing users would not be able to get app updates. You either have to continue using your existing key and risk the safety of your users’ data or start a new app entry from scratch.

With Play App Signing:
If you are using a weak key or your key was compromised, you can upgrade your app signing key for new installs.

This works by delivering APKs signed with your legacy key to existing users when they update the app, while fresh app installations get APKs signed with the upgraded, secure key.

Consider enabling app signing now and switching to using a separate upload key as soon as possible, reducing the likelihood of ever compromising the app signing key.

The current process of upgrading to a new key is not instantaneous and if the app signing key leaks, your existing users will be at risk until they reinstall the app or move to a new device.

Please note that the current key upgrade process does not take advantage of the key rotation feature introduced in Android 9 (Pie) and above. We are currently investigating support for key rotation using app signing v3 for devices on these OS versions and will let the developer community know once it’s ready in a separate announcement.

4. The upload key I used for signing my artifacts was stolen. What are my options?

Without Play App Signing: There is no concept of a separate “upload key”, so if your release signing key leaks, you could be in big trouble: someone could create malicious or unauthorized versions of your app that would be indistinguishable (and updateable!) from your original APKs.

Of course, Google account protection applies to Google Play Console access (and we recommend developers enable 2-step verification), so the attacker would still have to find a way to trick a user into sideloading such a modified APK. Nevertheless, your app’s security is weakened.

Refer to the question 3. above about a compromised app signing key to see what kind of remediations are available, including key upgrade for new installs.

With Play App Signing:
If your upload key is separate from your app signing key (which I cannot recommend highly enough), and the upload key is the one that leaked, that means your users’ data is safe — the upload key is not enough for an attacker to be able to impersonate APKs signed with the app signing key. Simply request a new upload key.

If you continued to use your app signing key for uploading to Play when you first enabled app signing, and that app signing key leaked, you are in a bit of a worse situation, but app signing can still remedy the problem. Follow the advice on how to upgrade your key for new installs.

5. I enabled Play App Signing for my app, but I changed my mind and would like to download the app signing key that is stored on Google’s infrastructure.

It’s not possible for you, or anyone else on your developer account, to download and save the private key for your app that’s stored on Google’s secure infrastructure. This is to ensure the protection of your app signing key.

If you foresee a situation in which you will need continued access to your app signing key, you should do the following when enabling app signing:

  • Do not select the option for Google Play to generate the app signing key for you. Generate your signing key locally on your machine instead.
  • Securely transfer your key to Google Play, and do not delete it from your machine.
  • Keep the key secure, ensuring it doesn’t leak to third parties.
  • Make sure to create and test backups of your key regularly, as you will not be able to download it from Google in case you lose it.

These steps are explained in the documentation. Look for the instructions on how to “opt in for an existing app” to see how to encrypt your signing key to upload it to the Google Play Console from Android Studio or the command line.

If you are absolutely sure you will not need continued access to your private app signing key, we recommend that you either let Play generate your key (for new apps) or that you delete your copy after transferring it to Play, and switch to using an upload key.

The upload key can be reset, and it doesn’t compromise your users’ security in case it leaks.

6. How can I be sure my private key is not intercepted when I transfer it to Google Play?

If you’re enabling app signing for a new app and select the option to generate a new key in Google Play Console, the key is never transferred and is generated directly on Google’s secured server, so you’re all set.

If you need to transfer your existing signing key (optionally for new apps and mandatory for existing apps), you always do that in encrypted form. Whether you export the key from Android Studio or from the command line, you will use the Play’s Encrypt Private Key (PEPK) tool locally on your machine before transferring the key.

In case you need to know details of the encryption used, PEPK uses P256 Elliptic Curve asymmetric encryption with AES symmetric encryption. If you need to inspect the tool further and get more details, we give you the opportunity to download the PEPK tool and its source code during the app signing sign up flow.

Feel free to review or compile it yourself, so that it can be run in your own secure environment, ensuring that the unencrypted key is never exposed.

Only use versions of PEPK downloaded from the Google Play Console, never download it or its source from unverified third-party websites.

7. How is the key protected at rest on Google’s infrastructure? How can I be sure no one is accessing it?

When you use Play App Signing, your keys are stored on the same infrastructure that Google uses to store its own keys.

Key access is governed by strict ACLs and tamper-evident audit trails for all operations.

All artifacts generated and signed with the developer’s key are made available to you in the Google Play Console for inspection/attestation.

Furthermore, to prevent key loss, we make very frequent backups of our primary storage. These backups are strongly encrypted and we regularly test restoring from these backups.

If you want to learn about Google’s technical infrastructure, read the Google Cloud Security Whitepapers.

8. I require a public certificate to sign up for external services, but I don’t have access to my key. What can I do?

If you want to use services or APIs that require signing up with a hash of the public certificate of your application, you can view or download the public certificate fingerprints from the Google Play Console’s “App signing” section:

Remember to always use these fingerprints when enabling services for the release versions of your app, and not the ones derived from your upload key.

Most services allow you to enable multiple certificates for your application, so you can continue testing with locally built APKs, as well as APKs generated by Google Play.

9. Are artifacts that Google Play distributes to users of my app any different from the ones I build locally, other than the key used to sign them?

As stated before, Play will not modify the functionality of your application without your knowledge and approval. It does however insert a minuscule amount of metadata that helps with verifying the source and integrity of the distribution. This metadata comes in two flavors:

  • For all apps uploaded to Google Play, Play has been adding security metadata after the signing block to enable features such as authorized P2P app sharing. We announced this originally in a blog post in 2017.
  • For apps uploaded as app bundles, we will improve this security by introducing what is called a source stamp. This source metadata is inserted into the app’s manifest by bundletool. When the APK is generated on Play’s server, it’s also signed with a Google key in addition to your app signing key.

This means the security metadata cannot be removed or tampered with without invalidating the Google signature. This gives a high confidence signal that unmodified APKs containing the source stamp must have come from Google Play.

You can use the open-source bundletool locally to generate APKs from bundles in the same way Play does on the server. The source stamp metadata added by bundletool will not be signed by Google’s key. Other source signatures will be possible when ApkSigner is updated with the next Android release.

10. How can I access the final artifacts that Google Play distributes to users of my app?

There are multiple options available to you:

  • For testing purposes, you can use an internal app sharing link for any historical version of your app from the Google Play Console’s app bundle explorer. Tapping the link on a device will install the APKs that the Play Store would install in prod for that device.
  • You can also download signed, device-specific APKs from the Google Play Console’s app bundle explorer.

11. How can I keep distributing my app to other stores if I want to use Play App Signing?

It’s entirely possible to distribute apps in multiple ways and through different channels. There are a few considerations that you have to keep in mind, depending on if it’s a new or existing app:

For new apps, you can use separate signing keys for each distribution channel, and let Google generate the key used by Google Play for you. This is the most secure way for apps distributed on Play, as the key never leaves Google’s servers and minimizes the chance that someone intercepts the key to near zero.

Alternatively, if you don’t want to manage multiple keys but still benefit from the full security of Play App Signing, you will soon be able to download signed universal APKs from the app bundle explorer and distribute them to other stores.

For existing apps, if you’re already using a single key for different stores, you can continue doing this if you wish. You’ll be asked to upload the existing key when enabling app signing on Google Play.

Optionally, you can consider the key upgrade functionality mentioned earlier in this FAQ to move away from sharing the key used by Google Play with other distribution channels over time.

There is one caveat that comes with the above advice: please note that if you decide to use separate signing keys for different stores, your users will not be able to cross-update the app between different distribution channels, such as when someone has originally installed the app through another store and then tries to update it through Play. They will need to uninstall and install the application again.

12. I’m busy working on features and all of this sounds like a lot. Do I have to switch to Android App Bundles or use advanced features like dynamic delivery?

No, you don’t have to do everything at once.

You can opt in to Play App Signing and continue publishing APKs for the time being. When you’re ready, you can start publishing Android App Bundles.

Publishing with an app bundle is straightforward for build systems which support it and automatically brings size reduction benefits for most apps.

Over time, you can take advantage of advanced features such as dynamic delivery. For apps, you can modularize your app with dynamic feature modules to improve build times and take advantage of customizable delivery. Games can use dynamic asset delivery to deliver high quality assets either at install time or post install with customizable delivery modes and smart targeting options.

If you’d like to start using app signing, but your management or security teams need an explanation of the benefits and caveats of app signing, please feel free to forward the questions and answers to them. Feel free to add questions in the comments, I’ll do my best to find answers for you if possible!

Android Developers

The official Android Developers publication on Medium

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store