Android Security, Signing and Publishing
1 like1,205 views
The document discusses the process for signing and deploying Android applications. It covers generating a private key, compiling in release mode, signing the APK with the private key using jarsigner, aligning the package with zipalign, and installing on a device using ADB or publishing to the Android Market. The key steps are 1) generate a private key, 2) compile in release mode, 3) sign the APK with the private key, 4) align the package, and 5) install on a device or publish.
![TB308POHJUS-L-2:temp pohjus$ keytool -genkey -v -keystore my-release-key.keystore -alias my-alias -keyalg RSA -
keysize 2048 -validity 10000
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Jussi Pohjolainen
What is the name of your organizational unit?
[Unknown]: TMI Jussi Pohjolainen
What is the name of your organization?
[Unknown]: TMI Jussi Pohjolainen
What is the name of your City or Locality?
[Unknown]: Tampere
What is the name of your State or Province?
[Unknown]: Finland
What is the two-letter country code for this unit?
[Unknown]: FI
Is CN=Jussi Pohjolainen, OU=TMI Jussi Pohjolainen, O=TMI Jussi Pohjolainen, L=Tampere, ST=Finland, C=FI correct?
[no]: yes
Generating 2,048 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 10,000 days
for: CN=Jussi Pohjolainen, OU=TMI Jussi Pohjolainen, O=TMI Jussi Pohjolainen, L=Tampere, ST=Finland, C=FI
Enter key password for <my-alias>
(RETURN if same as keystore password):
[Storing my-release-key.keystore]
TB308POHJUS-L-2:temp pohjus$ ls -al
total 88
drwxr-xr-x 5 pohjus staff 170 9 Tam 18:30 .
drwx------+ 46 pohjus staff 1564 9 Tam 16:43 ..
-rw-r--r-- 1 pohjus staff 2281 9 Tam 18:28 my-release-key.keystore
TB308POHJUS-L-2:temp pohjus$](https://image.slidesharecdn.com/08-android-signing-deploying-pptx-110128044318-phpapp01/85/Android-Security-Signing-and-Publishing-8-320.jpg)
Android Security, Signing and Publishing
- 1. Signing and Deploying Android Applica1ons Jussi Pohjolainen Tampere University of Applied Sciences
- 2. App Signing, Overview • All apps must be digitally signed with cer3ficate – Iden1fying the author of the app • Typically self signed • Debug key for debugging • Suitable private key when publishing • Crea1ng keys and signing: Keytool and Jarsigner
- 3. Debug Mode • While debugging and tes1ng, you can compile in debug mode • Build tools uses the Keytool u1lity to generate a key with known alias and password. Key is used to sign the .apk file • Developer does not have worry about this, if using Eclipse!
- 4. Release Mode • When ready to release, developer must sign the .apk with your private key • How? Two op1ons: – Using Keytool and Jarsigner in command-‐line. Keytool generates private key and Jarsigner signs the .apk with the key – Using ADT Export Wizard with Eclipse (same than above but with GUI)
- 5. Signing for Public Release 1. Obtain suitable private key 2. Compile the applica1on in release mode 3. Sign your applica1on with private key 4. Align the final APK package
- 6. Obtain Suitable Private Key • Private key – Is in your possession and represents your personal or corporate en1ty – Validity period is expected lifespan of your app • Recommenda1on: over 25 years • Android Market: apps must have validity period ending a[er 22.10.2033 – It's not the debug key J
- 7. Obtain Suitable Private Key • How to generate private key? • Use keytool – > keytool -genkey -v -keystore my- release-key.keystore -alias alias_name - keyalg RSA -keysize 2048 -validity 10000
- 8. TB308POHJUS-L-2:temp pohjus$ keytool -genkey -v -keystore my-release-key.keystore -alias my-alias -keyalg RSA - keysize 2048 -validity 10000 Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Jussi Pohjolainen What is the name of your organizational unit? [Unknown]: TMI Jussi Pohjolainen What is the name of your organization? [Unknown]: TMI Jussi Pohjolainen What is the name of your City or Locality? [Unknown]: Tampere What is the name of your State or Province? [Unknown]: Finland What is the two-letter country code for this unit? [Unknown]: FI Is CN=Jussi Pohjolainen, OU=TMI Jussi Pohjolainen, O=TMI Jussi Pohjolainen, L=Tampere, ST=Finland, C=FI correct? [no]: yes Generating 2,048 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 10,000 days for: CN=Jussi Pohjolainen, OU=TMI Jussi Pohjolainen, O=TMI Jussi Pohjolainen, L=Tampere, ST=Finland, C=FI Enter key password for <my-alias> (RETURN if same as keystore password): [Storing my-release-key.keystore] TB308POHJUS-L-2:temp pohjus$ ls -al total 88 drwxr-xr-x 5 pohjus staff 170 9 Tam 18:30 . drwx------+ 46 pohjus staff 1564 9 Tam 16:43 .. -rw-r--r-- 1 pohjus staff 2281 9 Tam 18:28 my-release-key.keystore TB308POHJUS-L-2:temp pohjus$
- 9. Signing for Public Release 1. Obtain suitable private key 2. Compile the applica3on in release mode 3. Sign your applica1on with private key 4. Align the final APK packate
- 10. Compiling using Release Mode
- 11. TB308POHJUS-L-2:temp pohjus$ ls -al total 88 drwxr-xr-x 5 pohjus staff 170 9 Tam 18:30 . drwx------+ 46 pohjus staff 1564 9 Tam 16:43 .. -rw-r--r-- 1 pohjus staff 16435 9 Tam 18:28 BMI.apk -rw-r--r-- 1 pohjus staff 2281 9 Tam 18:28 my-release-key.keystore TB308POHJUS-L-2:temp pohjus$
- 12. Signing for Public Release 1. Obtain suitable private key 2. Compile the applica1on in release mode 3. Sign your applica3on with private key 4. Align the final APK packate
- 13. Sign your applica1on with private key • You now have the private key and the .apk file. • Sign the .apk with the private key using jarsigner • > jarsigner -verbose -keystore my-release- key.keystore my_application.apk alias_name
- 14. TB308POHJUS-L-2:temp pohjus$ jarsigner - verbose -keystore my-release-key.keystore BMI.apk my-alias Enter Passphrase for keystore: adding: META-INF/MY-ALIAS.SF adding: META-INF/MY-ALIAS.RSA signing: res/layout/main.xml signing: AndroidManifest.xml signing: resources.arsc signing: res/drawable-hdpi/icon.png signing: res/drawable-ldpi/icon.png signing: res/drawable-mdpi/icon.png signing: classes.dex
- 15. Signing for Public Release 1. Obtain suitable private key 2. Compile the applica1on in release mode 3. Sign your applica1on with private key 4. Align the final APK packate
- 16. Align the final APK Package • zipalign tool ensures op1mizes the package for running in device: reduc1on of in the amount of ram • > zipalign -v 4 your_project_name- unaligned.apk your_project_name.apk
- 17. TB308POHJUS-L-2:temp pohjus$ /Developer/android-sdk-mac_x86/tools/zipalign -v 4 BMI.apk BMI-ready-to-go.apk Verifying alignment of BMI-ready-to-go.apk (4)... 50 META-INF/MANIFEST.MF (OK - compressed) 426 META-INF/MY-ALIAS.SF (OK - compressed) 897 META-INF/MY-ALIAS.RSA (OK - compressed) 2021 META-INF/CERT.SF (OK - compressed) 2440 META-INF/CERT.RSA (OK - compressed) 3142 res/layout/main.xml (OK - compressed) 3693 AndroidManifest.xml (OK - compressed) 4296 resources.arsc (OK) 5916 res/drawable-hdpi/icon.png (OK) 9940 res/drawable-ldpi/icon.png (OK) 11536 res/drawable-mdpi/icon.png (OK) 13777 classes.dex (OK - compressed) Verification succesful TB308POHJUS-L-2:temp pohjus$ ls -al total 88 drwxr-xr-x 5 pohjus staff 170 9 Tam 18:30 . drwx------+ 46 pohjus staff 1564 9 Tam 16:43 .. -rw-r--r-- 1 pohjus staff 16443 9 Tam 18:30 BMI-ready-to-go.apk -rw-r--r-- 1 pohjus staff 16435 9 Tam 18:28 BMI.apk -rw-r--r-- 1 pohjus staff 2281 9 Tam 18:28 my-release-key.keystore TB308POHJUS-L-2:temp pohjus$
- 18. And Install using ADB TB308POHJUS-L-2:temp pohjus$ /Developer/android-sdk- mac_x86/platform-tools/adb install BMI-ready-to- go.apk 700 KB/s (16443 bytes in 0.022s) pkg: /data/local/tmp/BMI-ready-to-go.apk Success TB308POHJUS-L-2:temp pohjus$
- 19. Publishing to Android Market
- 20. Or just use Eclipse