Android Security, Signing and Publishing

Signing and Deploying Android Applica1ons

Jussi Pohjolainen Tampere University of Applied Sciences

App Signing, Overview

•  All apps must be digitally signed with cer3ficate –  Iden1fying the author of the app

•  Typically self signed •  Debug key for debugging •  Suitable private key when publishing •  Crea1ng keys and signing: Keytool and Jarsigner

Debug Mode

•  While debugging and tes1ng, you can compile in debug mode

•  Build tools uses the Keytool u1lity to generate a key with known alias and password. Key is used to sign the .apk file

•  Developer does not have worry about this, if using Eclipse!

Release Mode

•  When ready to release, developer must sign the .apk with your private key

•  How? Two op1ons: – Using Keytool and Jarsigner in command-‐line. Keytool generates private key and Jarsigner signs the .apk with the key

– Using ADT Export Wizard with Eclipse (same than above but with GUI)

Signing for Public Release

1.   Obtain suitable private key 2.  Compile the applica1on in release mode 3.  Sign your applica1on with private key 4.  Align the final APK package

Obtain Suitable Private Key

•  Private key –  Is in your possession and represents your personal or corporate en1ty

– Validity period is expected lifespan of your app •  Recommenda1on: over 25 years •  Android Market: apps must have validity period ending a[er 22.10.2033

–  It's not the debug key J

Obtain Suitable Private Key

•  How to generate private key? •  Use keytool – > keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

TB308POHJUS-L-2:temp pohjus$ keytool -genkey -v -keystore my-release-key.keystore -alias my-alias -keyalg RSA -keysize 2048 -validity 10000

Enter keystore password:

Re-enter new password:

What is your first and last name?

[Unknown]: Jussi Pohjolainen

What is the name of your organizational unit?

[Unknown]: TMI Jussi Pohjolainen

What is the name of your organization?

[Unknown]: TMI Jussi Pohjolainen

What is the name of your City or Locality?

[Unknown]: Tampere

What is the name of your State or Province?

[Unknown]: Finland

What is the two-letter country code for this unit?

[Unknown]: FI

Is CN=Jussi Pohjolainen, OU=TMI Jussi Pohjolainen, O=TMI Jussi Pohjolainen, L=Tampere, ST=Finland, C=FI correct?

[no]: yes

Generating 2,048 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 10,000 days

for: CN=Jussi Pohjolainen, OU=TMI Jussi Pohjolainen, O=TMI Jussi Pohjolainen, L=Tampere, ST=Finland, C=FI

Enter key password for <my-alias>

(RETURN if same as keystore password):

[Storing my-release-key.keystore]

TB308POHJUS-L-2:temp pohjus$ ls -al

total 88

drwxr-xr-x 5 pohjus staff 170 9 Tam 18:30 .

drwx------+ 46 pohjus staff 1564 9 Tam 16:43 ..

-rw-r--r-- 1 pohjus staff 2281 9 Tam 18:28 my-release-key.keystore

TB308POHJUS-L-2:temp pohjus$


1.  Obtain suitable private key 2.   Compile the applica3on in release mode 3.  Sign your applica1on with private key 4.  Align the final APK packate

Compiling using Release Mode

TB308POHJUS-L-2:temp pohjus$ ls -al

total 88

drwxr-xr-x 5 pohjus staff 170 9 Tam 18:30 .

drwx------+ 46 pohjus staff 1564 9 Tam 16:43 ..

-rw-r--r-- 1 pohjus staff 16435 9 Tam 18:28 BMI.apk

-rw-r--r-- 1 pohjus staff 2281 9 Tam 18:28 my-release-key.keystore



1.  Obtain suitable private key 2.  Compile the applica1on in release mode 3.   Sign your applica3on with private key 4.  Align the final APK packate

Sign your applica1on with private key

•  You now have the private key and the .apk file.

•  Sign the .apk with the private key using jarsigner

•  > jarsigner -verbose -keystore my-release-key.keystore my_application.apk alias_name

TB308POHJUS-L-2:temp pohjus$ jarsigner -verbose -keystore my-release-key.keystore BMI.apk my-alias Enter Passphrase for keystore: adding: META-INF/MY-ALIAS.SF adding: META-INF/MY-ALIAS.RSA signing: res/layout/main.xml signing: AndroidManifest.xml signing: resources.arsc signing: res/drawable-hdpi/icon.png signing: res/drawable-ldpi/icon.png signing: res/drawable-mdpi/icon.png signing: classes.dex


1.  Obtain suitable private key 2.  Compile the applica1on in release mode 3.  Sign your applica1on with private key 4.   Align the final APK packate

Align the final APK Package

•  zipalign tool ensures op1mizes the package for running in device: reduc1on of in the amount of ram

•  > zipalign -v 4 your_project_name-unaligned.apk your_project_name.apk

TB308POHJUS-L-2:temp pohjus$ /Developer/android-sdk-mac_x86/tools/zipalign -v 4 BMI.apk BMI-ready-to-go.apk Verifying alignment of BMI-ready-to-go.apk (4)... 50 META-INF/MANIFEST.MF (OK - compressed) 426 META-INF/MY-ALIAS.SF (OK - compressed) 897 META-INF/MY-ALIAS.RSA (OK - compressed) 2021 META-INF/CERT.SF (OK - compressed) 2440 META-INF/CERT.RSA (OK - compressed) 3142 res/layout/main.xml (OK - compressed) 3693 AndroidManifest.xml (OK - compressed) 4296 resources.arsc (OK) 5916 res/drawable-hdpi/icon.png (OK) 9940 res/drawable-ldpi/icon.png (OK) 11536 res/drawable-mdpi/icon.png (OK) 13777 classes.dex (OK - compressed) Verification succesful TB308POHJUS-L-2:temp pohjus$ ls -al total 88 drwxr-xr-x 5 pohjus staff 170 9 Tam 18:30 . drwx------+ 46 pohjus staff 1564 9 Tam 16:43 .. -rw-r--r-- 1 pohjus staff 16443 9 Tam 18:30 BMI-ready-to-go.apk -rw-r--r-- 1 pohjus staff 16435 9 Tam 18:28 BMI.apk -rw-r--r-- 1 pohjus staff 2281 9 Tam 18:28 my-release-key.keystore TB308POHJUS-L-2:temp pohjus$

And Install using ADB TB308POHJUS-L-2:temp pohjus$ /Developer/android-sdk-mac_x86/platform-tools/adb install BMI-ready-to-go.apk

700 KB/s (16443 bytes in 0.022s)

pkg: /data/local/tmp/BMI-ready-to-go.apk

Success


Publishing to Android Market

Or just use Eclipse

Technology

Android Security, Signing and Publishing