How does Android app signing work?

Published by admin on

An app signing key is used to sign APKs (Android Package Kits) that are installed on a user’s Android device. As part of the Android operating system’s secure update model the signing key never changes during the lifetime of an app (the Android PackageInstaller class needs to be able to verify app updates). The app signing key is private and must be kept secret. You can, however, share the certificate that is generated using your app signing key.

If you distribute an app using Google Play, you can chose to upload Android App Bundles and have Google Play handle generating and signing individual APK’s with a Google generated app signing key. You (the developer) create an upload key and use it to sign the Android App Bundles that you upload to Google Play. You must keep the upload key secret. However, you can share the certificate that is generated using your upload key.

A natural next question is, more generally, how does digital signing work?

A digital signature scheme consists of three parts:

  1. A key generation algorithm that selects a private key at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key.
  2. A signing algorithm that, given a message and a private key, produces a signature. Using Digital Signature Algorithm (DSA) as an example digital signature scheme, a message is signed as described here. Note that DSA is retained only for the purposes of verifying existing signatures, and it was removed from the NIST’s Approved Digital Signature Standards (FIPS 186-5) in February of 2023 (https://www.nist.gov/news-events/news/2023/02/nist-revises-digital-signature-standard-dss-and-publishes-guideline). RSA, ECDSA, and EdDSA can be used for the generation and verification of digital signatures based on the FIPS standard as described in https://csrc.nist.gov/projects/digital-signatures.
  3. A signature verifying algorithm that, given the message, public key and signature, either accepts or rejects the message’s claim to authenticity. Again using DSA as an example, see here for how a message can be verified.

As noted in https://support.google.com/googleplay/android-developer/answer/9842756, Google-generated app signing keys are RSA 4096-bit. Custom app signing keys provided by a developer to Google Play must be RSA 2048-bit or higher. The same requirement applies to upload keys.

Categories: SecuritySoftware Development

Related Posts

Business

Large Language Models Have a Hard Time Identifying Missing Context

In my experience using large language models (LLMs), one of my most frequent frustrations is that they seem mostly unable to identify when they are missing some context needed to fully answer a question. In Read more

Software Development

What Operating Systems are Android OS and iOS Built On?

According to wikipedia (and as discussed in various places in the Android docs, including here), Android is “based on a modified version of the Linux Kernel along with other open-source software”. iOS is mostly proprietary Read more

Security

Using SMS for Two-Factor Authentication

Two-factor authentication (2FA) requires a user of a software application to present two types of evidence to prove they are who they claim to be. In practice, a user will often present a password and Read more