Geek Answers Handbook

Problems publishing an unsigned .apk file?

There are many questions about signed and unsigned .apk files . For testing and debugging, we can use the unsigned .apk file generated inside the bin folder. This apk file was generated using a dummy keystore file. My question is why we need to use a signed apk. we cannot post unsigned apk. what's wrong with it?

+7
android android keystore apk keystore
source share
6 answers

There are a number of reasons why you want to have an application signed with the release. There's even a great article about it. Here are a few reasons:

  • This is a method that the end user can verify that the application is actually published by the same author.
  • The release process allows Android to use additional features such as in-app purchases. Without this, Google cannot verify that the application actually belongs to you.
  • This is a way to say that someone trusted the released application.
  • This is a two-step authentication process that confirms your application. This provides an additional level of security that cannot be performed by other means.
  • Applications signed with the same key are allowed to share resources. A debug certificate is provided to everyone, and you probably don't want to have this level of access with all your applications.

Basically, this makes life difficult for hackers, which is always good.

For example, you can grant access to a Google Play account to users to change the description, but you do not want them to download new applications. Without a key, they cannot download the application. Also, if your Google password is cracked, you still cannot download the application. This requires your private key file and a key to crack it.

+8
source share

Only users who have enabled debugging in their developer options will be able to launch it. And people will need to know how to enable developer options (by clicking "Build Number" in the phone’s settings seven times). Google will not allow you to publish a debug version of apk, so people will have to download it.

+2
source share

Because @Pearson covered almost all things except one thing that I like to cover.

On Android, you cannot install an unsigned application in any way on your developer's phone / emulator. You must sign your application either by debugging or by your own certificate.

After installing the Android SDK, it generates a “debug” signing certificate for you in a key store called debug.keystore. The debug certificate is valid for 365 days only.

So, when you install the application through any Eclipse / Android Studio IDE, the IDE also signs the application using a debug certificate.

Update

My question is why we need to use a signed apk. we cannot post unsigned apk. what's wrong with it?

You need to sign the application with your own keystore certificate, since you cannot publish the application signed with the debug certificate, because

One reason is that the debug certificate expires within a year, after which you cannot release the update of your application. Your debugging certificate has expired, so why Google’s reason doesn’t allow is another serious security issue.

The second reason is that the Android system uses the certificate as a means of identifying the author of the application and establishing trust between applications.

+2
source share

Apk with a debug keystore is a signed apk. Unsigned apk cannot be downloaded to the device. For production, you must create another keystore for signing. In addition, after publication, future updates must be performed using the same keystore. If the keystore is lost, the application cannot be updated.

+1
source share

An unused APK is harder to track for the original author. Although there is basically nothing wrong with that, Google forces you to sign up for an APK before posting it on Google Play. Because of this, Google has the right to revoke a certificate when a developer abuses Google Play to publish software, i.e. malware.

In addition, since you must pay Google for the certificate, Google hopes that attackers will not pay again and again to publish the application there.

+1
source share

From Android Developers:

"The Android system requires that all installed applications be digitally signed with a certificate whose private key is stored by the application developer. The Android system uses the certificate as a means of identifying the author of the application and establishing trust between applications" ...

Read all about it here.

+1
source share

More articles:


All Articles