Home / Android / Securing and Optimizing Your App with Google Play App Signing

Securing and Optimizing Your App with Google Play App Signing

Google formally introduced the brand new Android App signing methodology throughout Google I/O ‘17.

The new app signing methodology permits Google securely set up builders’app signing keys.

Diagrammatic rationalization of ways app signing works nowadays.

Without Google App Signing (the outdated signing methodology), you signal your app with your app signing key, add to playstore and Google distribute your app on your customers.

Diagrammatic rationalization of Google App Signing.

With the brand new methodology, you don’t seem to be required to for my part signal your app with the app signing key. Here is the way it works:

  1. You signal your app with an upload_key; which you’re going to generate for your Android Studio — “AS”
  2. Google eliminates and test the upload_key.
  3. Finally, Google re-sign the app with the unique app signing key you equipped and the app can be dropped at the customers.

There are some execs and cons of the brand new signing methodology:


  1. Your app signing key’s extra secured as a result of they’re saved at the infrastructures Google makes use of to safe it’s personal keys. Without this Google App signing, should you lose your app signing key, you may not be capable to liberate new updates in your app, therefore, you want to liberate a brand new app with a brand new bundle identify. Oh no ??‍♂, that might be an excessively horrible enjoy.
  2. Your app would now not be compromised should you lose your upload_key to a 3rd birthday celebration; Google manages your key. Google would reset it and that might save your app. Isn’t that excellent?


If you want to check the signed model of your app ahead of importing to playstore, you could want to first signal the app with the unique app signing key despite the fact that you may nonetheless want to signal it with the upload_key so that you can add to the Google server.

Important realize:

Google Play App Signing is non-compulsory. You can stay managing your key if you don’t find it irresistible.

Once you join to this new app signing methodology, you’ll be able to not revert the method. Hence, remember to agree with the phrases and situation ahead of you in the end join to it.

More so, be sure to have a backup of your unique app signing key (the non-public key you do use to signal your app) ahead of you embark in this procedure. This put you on a more secure facet will have to if you happen to injury/corrupt your app signing key throughout this procedure.

Let’s do a walk-through of the brand new signing procedure:

Nota bene: This write-up is written for current apps on Google Playstore.

Go on your Google Play Console, Click Release controlApp signing

Getting began with the Google App Signing.

1. Encryption of your Original App Signing Key.

Download the Pepk (Play Encrypt Private Key) device as proven under. This will have to be discovered on your device obtain listing after a a success obtain.

Pepk device: for exporting personal keys from a Java Keystore and encrypting them for switch to Google Play.

Open terminal (Mac OS) or CMD (Windows OS) and run the command line (you’ll be able to reproduction if out of your Google play console) proven under to run the Perk device. Don’t fail to remember to switch the parameters highlighted in daring. The command is supposed to encrypt your unique app signing key.

N.B: The command line may now not run if you’re the usage of JDK less than eight.

Explanation of phrases (within the command):

  1. The pepk.jar (despite the fact that now not highlighted in daring within the command line) will have to get replaced with the trail to the pepk device you downloaded previous. Something like /Users/yourUsername/Downloads/pepk.jar
  2. foo.keystore (keystore) is the trail to the keystore containing your personal key (unique app signing key) to export. Something like /Users/yourUsername/Documents/Appkeys/keystore
  3. foo (alias) is the alias of the non-public key of the app you wish to have to signal.
  4. encrypted_private_key_path (output) is the trail to document through which to output the encrypted personal key. You select a reputation for it so it might appear to be: /Users/yourUsername/Documents/Appkeys/encryptedPrivateKey

The command would suggested you to enter your key retailer and key password.

N.B: While you’re typing the password, it might NOT show for your display screen despite the fact that it acknowledges it.

If this command run effectively, an encrypted personal key can be generated (mine is stored as encryptedPrivateKey in response to the identify I selected above) , add it on your Googleplay console as proven under

Button to add the encrypted app signing key.

2. Generation of a New Upload Key.

The new upload_key is the important thing you may be the usage of to signal your app due to this fact reasonably than the unique app signing key.

You want to generate an upload_key the usage of the important thing technology procedure in AS. On your AS toolbars, click on BuildGenerate Signed APK

The conversation under would pop up.

Click Next. Then the conversation under pops up.

Click Create new… button and the conversation under to generate the upload_key would pop up.

Replace the main points within the conversation with yours. Select a trail to avoid wasting your key retailer. The android.jks within the key retailer trail is what you wish to have to call the document to avoid wasting the upload_key. It will have to have the .jks (JAVA keystore) extension. You can building up the validity length to the years you desired. The most validity is 1,000 (years).

Click Ok button and the upload_key is generated. You can take a look at the trail you specified to reserve it to verify it’s introduction.

three. Certificate Generation for the Upload Key.

Now, we want to generate/export a certificates for the upload_key generated in step (2).

Use the command under to do the operation. Ensure that you simply exchange the arguments highlighted in daring.

securing and optimizing your app with google play app signing - Securing and Optimizing Your App with Google Play App Signing
Command for certificates technology

Explanation of phrases:

upload-keystore.jks (keystore) is the trail to the keystore of the upload_key generated in step 2. Something like /Users/yourUsername/Documents/AppKeys/addKeystore.jks

add (alias) is the alias of the upload_key you generated in step 2.

upload_certificate.pem (document) is the identify (in PEM structure) you want to make a choice for the certificates which might be generated. Something like /Users/yourUsername/Documents/AppKeys/upload_certificate.pem

If the command run effectively, a .pem certificates can be generated. Click the button (as proven under on your Google console account) to add the certificates.

four. Enrollment to Google App Signing.

It is time to sign up the app to Google App Signing. Enrolling to it approach:

  • Permanent enrollment of your app in Google Play App Signing.
  • Transfer of your app signing key to Google.
  • Registration of a brand new add key that are supposed to be used for all next APK uploads

Finally, Click the ENROLL button and you’re excellent to move.

N.B: Henceforth, you’re going to be signing your app with upload_key. Google would then re-sign your app with the encrypted personal key you uploaded in step 1.


https://www.youtube.com/watch?v=5tdGAP927dk&t=406s https://support.google.com/googleplay/android-developer/answer/7384423?hl=en https://developer.android.com/studio/publish/app-signing.html#release-mode

If you in finding this handy, kindly clap for me so others will see it on Medium.

Kindly depart your feedback, enquiries, questions or statement.

Thanks to Amit Shekhar for reviewing this.

Yours in life-long finding out, Abayomi.

Leave a Reply

Your email address will not be published. Required fields are marked *


%d bloggers like this: