What is the Signing Key for Android Apps?

Written by tukaianirban | Published 2022/10/10
Tech Story Tags: android | android-app-development | google-play-store | google-play-developer | app-development | mobile-app-development | mobile-app-security | app

TLDRSay, a developer publishes an app on Google PlayStore. The app is verified by Google, released to users, and becomes a success! It garners thousands of users every day. A month later, a bug shows up in the app. The developer, in the meantime, was not expecting this. They changed their workstation, and with it, lost the key with which they had signed the app build when publishing it.via the TL;DR App

The key through which Google ensures continued app publication for all developers.

The Problem

Say a developer publishes an app on Google PlayStore. The app is verified by Google, released to users, and becomes a success! It garners thousands of users every day. A month later, a bug shows up in the app.

The developer, in the meantime, was not expecting this. They changed their workstation, and with it, lost the key with which they had signed the app build when publishing it.

Now, the developer has managed to fix the bug and got a release build ready. But they do not have the old key with which they signed the app. Android OS requires all updates to an app to be signed with the same key, to be able to verify that the app’s updates came from the same developer who built the app.

This means, now if the developer publishes the app with a new key, the users’ phones will reject the version with the software fix!

The Problem for Google

For a budding developer or a not-so-popular app, this is not really a problem. They can simply move on OR rebrand the app and submit a new one to PlayStore.

The real problem however, is then, For Google.

On one hand, they can, over time, collect a bunch of apps that cannot be maintained by their developers.

On the other hand, developers (and this typically happens to single-person developers rather than companies) who lose their signing key are no longer able to maintain and provide updates to their own apps.

This has a negative impact on the reputation of the PlayStore itself, of not being able to sustainably deliver app updates to users.

As regular users, most people very often do not care where the app came from. They care about being able to use the app reliably, securely, and get support if something goes wrong.

The Solution

Google solved this in a two-step approach.

Firstly, they had already started rolling out app publishing in AAB (Android App Bundle) format rather than native APK files. AAB contains more information that an APK does, and contains this info in a way that PlayStore servers can generate the APK from the AAB file.

This way, the actual APK that is downloaded to the user’s phone remains decipherable to the PlayStore backend.

Secondly, Google introduced 2 separate keys -> Upload Key and Signing Key.

An Upload Key is the key with which the developer signs the AAB file contents, and this is signed and verified between the developer and Google’s PlayStore backend.

Once the AAB file is uploaded, PlayStore verifies that the app is published by a developer who has the same Upload Key as the previous builds of the app.

PlayStore then extracts the contents of the AAB file and generates the APK file from it. Then it signs this APK file with a new Signing Key and distributes the APK file to the user’s devices.

So essentially, the Signing Key is the key that the user’s Android phone will verify against. It will check every subsequent update of an app to be signed with the same Signing Key as the previous one, and thereby the key that is actually signed by Google.

With this simple trick, Google PlayStore ensures that the user’s device verifies against a key that it stores itself. PlayStore obviously has much better storage and backup mechanisms than any developer’s workstation and can ensure that the Signing Key of any app is never lost.

If you are liking this article so far, do consider following me on HackerNoon here or on Medium.

What Does This Mean for the Developer?

This means that we as developers, the key that we sign our apps with, are actually valid between us and Google PlayStore only, and has nothing to do with the key that our user’s phone actually receives.

This also means, that if we lose our workstation or the Mac KeyChain gets corrupted, we can quickly generate a new key, register that in the PlayStore, and upload the next build of our app.

PlayStore will know that the app’s update build came from me (it knew it when I registered my new key) and extracts out the Upload Key, and signing the distribution APK with the actually Signing Key of my app, and sends the APK to my users.

This also means that PlayStore simply made life a lot more easier for small-scale developers like me!

A Nifty Detail

If you have a user’s phone with your app installed on it through PlayStore, if you try to compile and sign a new version of your app from your workstation and try to ‘adb install …’ it, the installation will fail due to mismatch of keys !

Happy coding!

Also published here

Photo by Michael Dziedzic on Unsplash

Written by tukaianirban | code sets me free
Published by HackerNoon on 2022/10/10
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy