[Android] App signing and keystore

Post reply
0 favourites
  • 2 posts
From the Asset Store
Math Signs Game
$16 USD
Game with complete Source-Code (Construct 3 / .c3p) + HTML5 Exported
jmnetogamedev's avatar
jmnetogamedev

  • Hello!

    I finally took the leap and moved on to Construct 3 yesterday. I have been working on the app I'm making for the past 6 months and I thought it was time too start some internal testing via the Play Store since I also want to add analytics and a single IAP in future.

    So I also opened a Google Play developer account, and added my app in the console.

    I wanted to ask you some advice regarding the app signing feature and check what's best to do and if I did it right or not?

    So here is my situation:

    • I have a keystore that I created a while back to create signed apk via PhoneGap.
    • When adding the app in Google Play, I have enable the App signing by Google Play inadvertently and uploaded the APK I signed with the keystore I had
    • I read in another thread posted a few months ago that there wasn't much advantage to using this service unless worried to lose the key.

    And here are my questions regarding app signing:

    1. Do I need to do anything when uploading new builds? Or can I just export and sign the build as usual in Construct 3 with my current keystore then upload it in Google play and it will work?
    2. Since I have backed up my keystore at different places, would it be best not to use the app signing feature, and publish another app instead (since you can't revert the app signing and I'm only at the internal testing stage)?
    3. Is it worth creating a different alias or another keystore, should I want to sell the app in future if I was to make others (probably will never happen haha)?
    4. I released an internal test last night, it's still pending publication, I suppose it's normal since it's the first time I ever released the app?

    It's all a bit confusing to me to be honest so I would like to keep it as simple as possible :)

    Note: I also read

    - construct.net/en/tutorials/building-signed-apk-android-28

    - construct.net/en/tutorials/building-android-apps-apks-in-construct-3-19

    Thanks!

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads

  • I can't provide too much feedback, as I've read a fair amount about the app signing service but I haven't used it. There's a few advantages I can think of:

    1. You can use Android App Bundles
    2. Your application is protected against the loss of your keystore
    3. If your keystore is compromised your app is protected from a 3rd party creating a modified build

    Android App Bundles is another kinda large topic; it's basically an alternative way to publish your application. The play store uses the bundle to produce multiple APKs based on the requirements of different phones ( screen size and CPU architecture ), so that it can remove anything that isn't required by that device. As the play store has to sign those APKs you have to use the app signing service for this. Unfortunately construct apps don't really benefit from this, so there's not much to be gained from it.

    Sounds like your already fairly protected against #2.

    #3 is fairly important. Signing an application is basically your stamp as a developer to say that you made it. Several services rely on the application signature to ensure that the app is legit. If your keystore is compromised somebody could potentially produce a modified version of your application, with your signature on it. This would mean those services would trust the application. The amount of damage that could be done with this obviously varies on the service, but it's definitely something you want to avoid. Provided you keep the keystore in a safe location, and with a very strong password on it, this likely won't a problem. But by using the app signing service the malicious actor has to have both compromised your keystore, and have access to your application on the Google Play Console. If the keystore is compromised then you can revoke it with Google Play, which isn't something you can do without app signing.

    As a final note, your probably aware of this but once you publish an app your stuck with your decision!

Post reply
  • 2 posts
Return to board index
Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)