Home » Android » android – Issues in publishing unsigned .apk file?

android – Issues in publishing unsigned .apk file?

Posted by: admin June 15, 2020 Leave a comment

Questions:

There are many questions about signed and unsigned .apk files.for testing & debugging we can use unsigned .apk file that generated inside bin folder. This apk file generated using a dummy keystore file. My question is why we need to use signed apk. can’t we publish a unsigned apk. what’s wrong with that?

How to&Answers:

There’s a number of reasons why you want to have a release signed application. There’s even a great article about it. Here’s a few reasons:

  1. It’s a method that the end user can verify that an app is in fact published by the same author.
  2. The release process allows for Android to use additional features, like In App purchases. Without it, Google can’t verify that in fact the app is yours.
  3. It’s a way of saying that someone trusted released the app.
  4. It is a two step authentication process to verify your app is yours. That gives an added layer of security that can’t be done via other means.
  5. Applications signed with the same key are allowed to share resources. The debug certificate is shared by all, and you probably don’t want to have that level of access with all of your apps.

Basically, it makes a hacker’s life more difficult, which is always a good thing.

For instance, one might give access to the Google Play account to people to modify the description, but you don’t want them to upload new apps. Without the key, they can’t upload the app. Furthermore, if your google password is cracked, you still can’t upload the app. It takes having your private key file and key to crack it.

Answer:

As @Pearson covered almost all the things but one thing I like to cover.

In Android, you can not install the unsigned application in any how on your developer phone/emulator. You have to sign your application either by debug or your own certificate.

Upon installation, the Android SDK generates a “debug” signing certificate for you in a keystore called debug.keystore. A debug certificate is only valid for 365 days.

So When you install your application through any IDE Eclipse/Android Studio, IDE also sign the app using the debug certificate.

Update

My question is why we need to use signed apk. can’t we publish a unsigned apk. what’s wrong with that?

You need to sign your app with your own release keystore certificate because you can’t publish app which are signed with debug certificate because

One reason is your debug certificate expire within a year so after that you can not release the update of your app Once your debug certificate has expired that why also reason Google does not allow and some more major security concern.

Second reason is android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications.

Answer:

Only people who have enabled debugging in their developer options will be able to run it. And people will need to know how to enable developer options (by clicking on ‘Build Number’ in the phone settings seven times). Google will not let you publish a debug apk, so people will have to side-load it.

Answer:

Apk with debug keystore is a signed apk. Unsigned apk can’t be uploaded to a device. For production you must create a different keystore to sign with. Also, once published, future updates must be done using the same keystore. If the keystore is lost, the application can’t be updated.

Answer:

An unsigned APK is harder to trace to the original author. Although in principal there is nothing wrong with that, Google forces you to sign your APK before publishing in Google Play. Because of this Google has the power to revoke the certificate when a developer abuses Google Play to publish software, ie. malware.

Also, because you have to pay Google for a certificate, Google hopes that malicious devevelopers won’t pay over and over again to publish there application.

Answer:

From Android Developers:

“The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application’s developer. The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications”…

Read all about it here