Posted by Kobi Glick, Product Manager, Google Play
Every app on Android is signed with a key. This key is used to ensure the app’s
integrity by checking that updates are signed with the same signature. In the
past, the burden of securely holding the signing key has always been with the
developer. We’re now offering an app signing service on Google Play that can
help you if you lose or compromise your key.
Until recently, losing your key would make it impossible to update your app with
a new version. A compromised key would be a serious issue too: a third-party
could maliciously replace an authentic app or corrupt it. Unfortunately in such
cases, the only solution was to publish a new app, with a new package name and
key, and ask all of your users to install it.
App signing in the Play Console allows us to offer help in such circumstances.
For existing apps, it requires transferring your app signing key to Google Play.
For new apps, we can generate your app signing key. Once enrolled in app
signing, you sign your APK with an upload key, which we use to authenticate your
identity. We’ll then strip that signature and re-sign your app with the app
The app signing key is now securely managed by Google Play meaning that you are
only responsible for managing your upload key. If your upload key is compromised
or lost, our developer operations team can assist by verifying your identity and
resetting your upload key. We’ll still re-sign with the same app signing key,
allowing the app to update as usual.
Rest assured, your key will be fully protected by Google’s robust cloud security
infrastructure and will benefit from the ongoing investment we’re making to
our security systems. In the future, we plan to offer developers who sign with
Google Play automatic optimizations to enhance their app distribution. Stay
tuned for more news in this area!
Learn more about how
app signing works in the help center or watch the session about app
signing from Google I/O 2017. Get started on securing your app in the release management section of
the Play Console.
How useful did you find this blogpost?
Android Developers Blog