Why sign an app?

Hello

I would like to know what are the benefits of signing an apk if I am not going to upload it to google play.

Is the mit signature generic for all users or does it still have some personal metadata? because I have read the username and password in the forum
Does it only serve to recognize an app in the future and can be updated?
Could a signed app be decompiled and edited by another user?

Thanks a lot

Hi

No.

If your APK is unsigned, many devices and all anti-virus software are going to flag it as suspicious. It might be automatically prevented from installing. The User could think twice about trusting your Apps.

So even if app inventor generates a signature automatically, I should customize it. OK thanks @ChrisWard

And....Could another user decompile and edit a signed application?

I did not say that! An App Inventor App with your own unique keystore provides the security required by Google Play Store and other distribution platforms.

Read this article for example:

1 Like

@Nacho See here:

Yes, of course. And that happens often enough (too often).

See ibid:

How should one be able to create an unsigned APK?

1 Like

The signature of an APK is stored in the META-INF directory inside of the APK file. To "unsign" an APK you simply can delete those files (although there is a different method Google is moving toward). The key is stored in a file called android.keystore, which is associated with your account (ergo, all apps you build are signed with the same key). The first time you build an app, App Inventor generates this key for you (unless you've uploaded an existing keystore). In Android land, the trust model is that you can only upgrade if the APK file is signed with the same key as the previous version, so possession of the key is critical to being able to release updates to your app. Google has a new mechanism in the Play Store where they will create a key for you and resign your app on your behalf, in case you lose your key you can ask them to trust a new key. Note that signing simply asserts that the person who holds the private key has computed a hash along with the corresponding public key. It doesn't protect the APK contents in any way since you can always remove the signature and put a new one along with malicious content. The fact that the key would then not match would have Android report that you can't upgrade the app.

Yes, but after that the app is unusable / cannot be installed anymore (at least not on my test device).

Correct. I wasn't claiming that it was. Android insists that the app have a signature. I guess it would be possible to create a custom build of Android that would allow unsigned APKs, but one would open up a huge security hole since any app could overwrite an unsigned app with a malicious version.

1 Like

And what purpose could there be in creating an unsigned app?

There's really no reason except in cases where you need to resign the app, otherwise both signatures are included. Turns out that Google Play will demand both signatures going forward when this happen (which is one reason why it's App Inventor 2 but the package name is edu.mit.appinventor.aicompanion3... whoops).

1 Like

Although I have read the documentation that you have shown me and that I have found, forgive the questions of beginners, but I am afraid to mess with this problem.

So I understand that I can create the signature with one of the different programs (Android Studio, APK Editor Studio, keytool ...) and then export it to use it in any other, even use it in the inventor app, right?

That is, since I use APK Editor Studio because it seems simpler for what I need, could I generate the keys in APK Editor Studio and later (if I feel more comfortable) put them in Android Studio (for example)?

You are supposed to create an alias for each app you create, is it recommended or is one better for all the apps you create?

Is it a good idea to import that signature into the inventor app or is it better to sign it when you already have the final version with another program?

Yes, the keys are stored in a Java Key Store (JKS) formatted file, which both jarsigner and apksigner understand. These are the tools all of these programs use to sign APKs.

Yes, Android Studio typically looks for the .keystore file from ~/.android/android.keystore or ~/.android/debug.keystore. In your gradle files you can specify the keystore file you'd like to use for signing your app.

This is really up to you. The important thing is that you know which key goes with which app so you can continue signing with the same key going forward for update purposes. If you reuse the same key that's perfectly fine, but if it becomes compromised then you will have to migrate all of your apps to a new key.

This can go either way. There are definitely people who distribute apps from App Inventor using their App Inventor keystore. Always make a backup of the keystore. For better security, keeping the keystore on an offline device (such as a USB thumbdrive) and using it to sign the app separately is probably more secure. The companion app, for example, is built by App Inventor and then we sign it with a separate keystore with an encrypted key using a different password before submitting it to the Play Store.

1 Like