In google play game services, you have to link your apps to your Game service campaign. Whenever you link an app you have to authorize it by providing the package and then the SHA1 Signing certificate fingerprint. My question is if you generate the app's apk on a different computer, the SHA1 certificate will be different. So do you have to delete the linked app and re-add it with the new SHA1? The documentation is pretty unclear about this.
My question is if you generate the app's apk on a different computer,
the SHA1 certificate will be different
Why would the certificate be different? You must use the same keystore and provide the keystore password every time you generate the APK for a release. See the documentation about this.
Warning: Keep your keystore and private key in a safe and secure place, and ensure that you have secure backups of them. If you publish an app to Google Play and then lose the key with which you signed your app, you will not be able to publish any updates to your app, since you must always sign all versions of your app with the same key.
Related
I read a little about Android keystore. What's interesting for me that such keystore allows using cryptographic opeations (like content signing and ciphering) without direct access to private key stored in a keystore. The doc says:
Android Keystore system protects key material from unauthorized use. Firstly, Android Keystore mitigates unauthorized use of key material outside of the Android device by preventing extraction of the key material from application processes and from the Android device as a whole
I would like to have similar solution in backend web application. The most important for me is to have forbidden direct access to private key from java process. In fact my application process doesn't need it because it only needs to sign content when sending back to the user.
I was looking in KeyStore java api but found nothing or missed something important.
Is such approach possible using standard java KeyStore?
I have generated Sh1 key from release keystore file then create api key from sh1 key for release mode then paste the key release folder also have generated debug mode key also in debug folder.Map is working fine in release apk but not after download same apk on google Play.
keytool -list -v -keystore F:\Sanjeev\Location\abc.jks -alias abc
i have generated sh1 from above keytool
Please suggest me what am i doing wrong.
I understand you're not able to use your app’s original keystore.
Unless you are enrolled in Google Play app signing, the only solution to this issue is to publish a new app with a new package name and a new key. In order to transition existing users to the new app, you’ll need to update the original app’s description with a link to the new app and unpublish the original app.
I absolutely understand this is a significant inconvenience, however, due to security concerns Google does not keep a copy of your keystore and at this time we do not support the deletion of apps or the re-use of package names.
You can read through this article in the Android Studio Help Center for more information about keystores.
I need to do this thing:
communicate using ssl from android terminal to a server;
each android client has its own certificate (we can say mutual authentication);
the ssl certificate must not be in the application (each person install his certificate on his phone).
How can I do it?
Obviously point 1) alone is easy (I build a keystore/truststore as explained in stackoverflow). The problem is in point 3).
Thanks,
Mario
If you are targeting Android 4.0 (ICS), you can use the system key store via the KeyChain API. For other versions, users need save their keystore somewhere (on the SD card/external storage, etc.) and let your app know where to find it.
I would like to develop an own API for Android that will request "Signature" protection level and will be accessible for 'my" applications.
Idea is following:
"install" my own certificate into system certificates storage
sign "trusted" application with my own certificate
As a result during request from any application to my API system will check if this application is signed with an appropriate certificate. If my sertificate is installed into Android everything should be fine.
I'm going to prototype that approach, but if there is something obvious that can prevent me from doing that - please let me know.
The question:
how to install own certificate into system certificates storage (assuming we will build Android ourselves and can modify system (in a reasonable borders))?
Thank you very much.
P.S. I'm not very familiar with Java/Android development, so please don't mind if you see something strange.
UPDATE:
As I wrote in a comment to zeetoobiker's answer, If I sign my API with my own certificate then it will be accessible for all my applications (signed by my certificate), but it won't have any system permissions. And I don't want all my 'customers' to navigate to the "realmb.com/droidCert/" web site. Instead I want manufacturer to add my certificate into an OS, now I'm working on making a proof of concept.
I don't think you need to install the certificate.
From the permission docs for signature:
A permission that the system grants only if the requesting application is signed with the same certificate as the application that declared the permission. If the certificates match, the system automatically grants the permission without notifying the user or asking for the user's explicit approval.
This means that it's the certificate you use to sign the apps that matter (not any installed certificates) - if you sign App 1 and App 2 with the same certificate then it will have permission. If App 3 which is signed with a different certificate attempts to access the API then it will get a no permission exception.
According to the docs (I have to admit I've not done it although I'm looking at for some of my apps) it should work on vanilla Android without any necessary customisations / access to the device / root.
If you really need to install the root certificate, this may help but I don't think you do for your stated aim.
I want users to be able to install their own personal certificate into my Android application after installation from a website which generates the certificates, but when I use a WebClient or the Android Browser to surf to it, the Secure Storage pops up and installs it, which is unavailable by API until version 14 (Android 4.0), which my users do not have installed.
An example of such a site is http://www.comodo.com/home/email-security/free-email-certificate.php .
Here you can request a personal certificate, and after confirming, you get a link where you can download the certificate.
I want users to be able to download certificates from this website, and others, into my application.
Can anyone tell me which intent to handle to be able to get the certificate into my own application, or how to modify WebClient such that it allows me to decide what it should do with the file?
Thanks in advance,
Patrick
Since the Android keystore API is not public before ICS (4.0), you need to save the key and certificate to some file your app can access to be able to use them. If you require a standard password-protected Java keystore file and require password input for crypto operations, it would be reasonably secure.
You can import a key/certificate pair in pre-ICS versions using Settings->Location and security->'Install from SD card', but there is no public API to access those from your app, the can only be used by the built-in VPN client.