Login/Register
Issues in publishing unsigned .apk file?
Asked Answered
Solved androidapkkeystoreandroid-keystore
B

6

8

There are many questions about signed and unsigned .apk files.for testing & debugging we can use unsigned .apk file that generated inside bin folder. This apk file generated using a dummy keystore file. My question is why we need to use signed apk. can't we publish a unsigned apk. what's wrong with that?

Bedard answered 4/3, 2014 at 13:6 Comment(0)
P
9

There's a number of reasons why you want to have a release signed application. There's even a great article about it. Here's a few reasons:

  1. It's a method that the end user can verify that an app is in fact published by the same author.
  2. The release process allows for Android to use additional features, like In App purchases. Without it, Google can't verify that in fact the app is yours.
  3. It's a way of saying that someone trusted released the app.
  4. It is a two step authentication process to verify your app is yours. That gives an added layer of security that can't be done via other means.
  5. Applications signed with the same key are allowed to share resources. The debug certificate is shared by all, and you probably don't want to have that level of access with all of your apps.

Basically, it makes a hacker's life more difficult, which is always a good thing.

For instance, one might give access to the Google Play account to people to modify the description, but you don't want them to upload new apps. Without the key, they can't upload the app. Furthermore, if your google password is cracked, you still can't upload the app. It takes having your private key file and key to crack it.

Paederast answered 4/3, 2014 at 13:10 Comment(6)
take scenario, i'm developing a android app for company for their employes(not to publish in playStore). can i give a unsigned apk release.Bedard
You could in fact, although I would still sign it anyways, as a matter of practice. Signing it certifies that the app is ready for a non-development/tester environment.Paederast
you explained well...TnQBedard
@Paederast You can't give a unsigned app to anyone, it can't be install on device/emulatorAilurophile
@TGMCians: I install unsigned apps frequently, but always via Eclipse. I would assume you could install them in a similar manner. I guess signed would make it easier. Hmmm... Will edit appropriately.Paederast
@Paederast Not true, You can't install unsigned apps even via EclipseAilurophile
A
3

As @Pearson covered almost all the things but one thing I like to cover.

In Android, you can not install the unsigned application in any how on your developer phone/emulator. You have to sign your application either by debug or your own certificate.

Upon installation, the Android SDK generates a “debug” signing certificate for you in a keystore called debug.keystore. A debug certificate is only valid for 365 days.

So When you install your application through any IDE Eclipse/Android Studio, IDE also sign the app using the debug certificate.

Update

My question is why we need to use signed apk. can't we publish a unsigned apk. what's wrong with that?

You need to sign your app with your own release keystore certificate because you can't publish app which are signed with debug certificate because

One reason is your debug certificate expire within a year so after that you can not release the update of your app Once your debug certificate has expired that why also reason Google does not allow and some more major security concern.

Second reason is android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications.

Ailurophile answered 4/3, 2014 at 14:22 Comment(0)
R
2

Only people who have enabled debugging in their developer options will be able to run it. And people will need to know how to enable developer options (by clicking on 'Build Number' in the phone settings seven times). Google will not let you publish a debug apk, so people will have to side-load it.

Ropedancer answered 4/3, 2014 at 13:10 Comment(0)
P
1

Apk with debug keystore is a signed apk. Unsigned apk can't be uploaded to a device. For production you must create a different keystore to sign with. Also, once published, future updates must be done using the same keystore. If the keystore is lost, the application can't be updated.

Polypoid answered 4/3, 2014 at 13:10 Comment(0)
D
1

An unsigned APK is harder to trace to the original author. Although in principal there is nothing wrong with that, Google forces you to sign your APK before publishing in Google Play. Because of this Google has the power to revoke the certificate when a developer abuses Google Play to publish software, ie. malware.

Also, because you have to pay Google for a certificate, Google hopes that malicious devevelopers won't pay over and over again to publish there application.

Decahedron answered 4/3, 2014 at 13:11 Comment(3)
You don't pay for a certificate actually.Paederast
I always thought you did. Sorry, my bad.Decahedron
No, you pay for the account, but not the certificate.Paederast
K
1

From Android Developers:

"The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application's developer. The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications"...

Read all about it here

Klapp answered 4/3, 2014 at 13:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.