The Signing Key of Android apps

Anirban Mukherjee
4 min readOct 9, 2022

--

The key through which Google ensures continued app publication for all developers.

Problem

Say, a developer publishes an app on the Google PlayStore. The app is verified by Google and released to users, and becomes a success! It garners 1000’s of users every day. A month later, a bug shows up in the app. The developer in the meantime, was not expecting this. They changed their workstation, and with it, lost the key with which they had signed the app build when publishing it.

Now, the developer has managed to fix the bug, and got a release build ready. But they do not have the old key with which they signed the app. Android OS requires all updates to an app be signed with the same key, to be able to verify that the app’s updates came from the same developer who built the app. This means, now if the developer publishes the app with a new key, the user’s phones will reject the version with the software fix !

Problem for Google

For a budding developer or a not-so-popular app, this is not really a problem. They can simply move on OR rebrand the app and submit a new one to Play Store.

The real problem however, is then for Google.

On one hand, they can, over time, collect a bunch of apps that cannot be maintained by their developers.

On the other hand, developers (and this typically happens to single-person developers rather than companies) who lose their signing key are no longer able to maintain and provide updates to their own app. This has a negative impact on the reputation of the Play Store itself, of not being able to sustainably deliver app updates to users.

As regular users, most people very often do not care where the app came from. They care about being able to use the app reliably, securely and to get support if something goes wrong.

Solution

Google solved this in a two-step approach.

Firstly, they had already started rolling out app publishing in AAB (Android App Bundle) format rather than native APK files. AAB contains more information that an APK does, and contain this info in a way that PlayStore servers can generate the APK fro the AAB file. This way the actual APK that is downloaded to the user’s phone remains decipherable to PlayStore backend.

Secondly, Google introduced 2 separate keys -> Upload Key and Signing Key.

An Upload Key is the key with which the developer signs the AAB file contents, and this is signed and verified between the developer and Google’s PlayStore backend. Once the AAB file is uploaded, PlayStore verifies that the app is published by a developer who has the same Upload Key as the previous builds of the app.

PlayStore then extracts the contents of the AAB file, and generates the APK file from it. Then it signs this APK file with a new Signing Key, and distributes the APK file to the user’s devices. So essentially, the Signing Key is the key that the user’s Android phone will verify against. It will check every subsequent update of an app to be signed with the same Signing Key as the previous one, and thereby the key that is actually signed by Google.

With this simple trick, Google PlayStore ensures that the user’s device verifies against a key that it store itself. PlayStore obviously has much better storage and backup mechanisms than any developer’s workstation and can ensure that the Signing Key of any app is never lost.

What does this mean for the developer ?

This means that we as developers, the key that we sign our apps with, are actually valid between us and Google PlayStore only, and has nothing to do with the key that our user’s phone actually receives.

This also means, that if we lose our workstation or the Mac KeyChain gets corrupted, we can quickly generate a new key, register that in PlayStore and upload the next build of our app. PlayStore will know that the app’s update build came from me ( it knew it when I registered my new key ) and extracts out the Upload Key, and signing the distribution APK with the actually Signing Key of my app, and sends the APK to my users.

This also means that PlayStore simply made life a lot more easier for small scale developers like me !

If you have a user’s phone with your app installed on it through PlayStore, if you try to compile and sign a new version of your app from your workstation and try to ‘adb install …’ it, the installation will fail due to mismatch of keys !

Happy coding!

I regularly write about different topics in tech including career guidance, the latest news, upcoming technologies, and much more. This blog was originally posted in my blogs at anirban-mukherjee.com

--

--

Anirban Mukherjee
Anirban Mukherjee

Written by Anirban Mukherjee

Loves writing code, building projects, writing about tech stuff, running side hustles; Engineering leader by day, nerd builder by night.

No responses yet