Sharing my Android keystore with a client [closed]

About

Asked 14/4, 2013 at 15:9 Answered 14/4, 2013 at 15:12

I have developed apps for different clients, but I have been using the same keystore across all these apps. One of my client wants to update an app on the playstore and he wants to do it on his own. So, he is asking me to share my keystore. This is because he does not want to lose the ratings etc. associated with the app.

As I have the same keystore across all my apps, I am a bit reluctant to do this. Can someone please suggest me a solution that works out well for both of us.

Redeemable answered 14/4, 2013 at 15:9 Comment(3)

I'm not a SO moderator, but I think this is a very good question. If I had this problem I would have loved to get the community input. – Factorial 22/5, 2013 at 12:20

I agree, I think it's a good question – Schoonmaker 9/10, 2015 at 3:1

This is good question @Redeemable how did you overcome this problem ? – Solubilize 15/3, 2017 at 9:24

Personal Piece of Advice: Do NOT share your keystore with anyone

Other than that, you could have the client send you the apk, sign it, and send it back to him. If you don't want to do that, you will have to share the keystore to come to an amicable solution.

You could try to explain to the client the security risk it poses, and see if they agree to republish the app before even more ratings and downloads happen.

Additionally, you should always create a new keystore for each individual client (or even individual apps).

Permanency answered 14/4, 2013 at 15:12 Comment(5)

Well if he is not sharing his key, client is screwed, so either he have to sign the update for client or share his keystore i guess. – Bravin 14/4, 2013 at 15:15

I like the option of asking him to send the .apk file and then signing it on his behalf.. – Redeemable 14/4, 2013 at 15:24

One workaround: You could give away to keystore to the client for that app. And then move to having separate keystore for rest of the client-apps from now on - assuming other clients don't really want to sign stuff themselves yet. – Sphinx 11/1, 2015 at 6:10

A client of mine told me that an investor asked for key store file to do something called a “technical due diligence”. I told him it’s a bad idea to share the key with his investor but he wants to. What risk is in there? – Waspish 18/7, 2016 at 8:3

Also, we had agreed that I give him only the product and I clearly told him it’s in form of APK before coding the app. He agreed but now wants this key for this investor and is telling me this comes out when I upload APK to play store. I told him that’s not true and finally he agreed but still disagrees saying that it’s not a part of source code so I should give it to him still. I explained that anything that goes into the build process is considered source code and the output is the product which I agreed to give for the pay. Isn’t the key also a part of source? How can I explain this to him? – Waspish 18/7, 2016 at 8:5

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags