1. Download our Official Android App: Forums for Android!

Apps Is it safe to allow external devs to use their own keys?

Discussion in 'Android Development' started by AlanFM, May 9, 2012.

  1. AlanFM

    AlanFM Lurker
    Thread Starter
    Rank:
    None
    Points:
    5
    Posts:
    3
    Joined:
    May 9, 2012

    May 9, 2012
    3
    0
    5
    Hi,

    This is probably quite a silly question but I am new so please bear with me..

    I am trying to release an android app and the actual development has been done by an external team located in a different country. So far they have been sending me debug versions which I could just test from an android device normally, and the app is quite ready to be released now.

    When I tried to upload it to google I got an error because it was not in "release mode". Reading the publishing guides on the android developer page it seems I need some sort of key to sign the application and then I can change it to release mode.

    I am guessing this involves some sort of compiling(?) which I really do not want to do - basically because I have no idea how to do it.

    So my question is, if I just ask the development team to send me the application again in release mode -they would have to use their private key, I would not do anything-, is there any risk?
     

    Advertisement

  2. GeorgeN

    GeorgeN Well-Known Member
    Rank:
    None
    Points:
    73
    Posts:
    132
    Joined:
    Apr 16, 2012

    Apr 16, 2012
    132
    38
    73
    Male
    London
    If you trust your developer then its probably fine, but if they were malicious and they had access to your key, they could theoretically trick users into installing malicious updates.

    If you do let the developer use their own key, I would definitely make sure you get a copy of the keystore and keep it safe yourself. Without it you won't be able to update your app in the future, so having a backup is a good idea - don't trust the developer to keep it safe.

    If you can get it I would try and get your developer to give you all the source code and sign the application yourself. That way you don't need to give the developer the key and you aren't tied into the same developer if you need an update writing in the future.

    Its not too much work to build a signed binary. You just need to get the source code and install eclipse and the ADT tools (no programming experience required!). From eclipse just click "File -> Export -> Android -> Export Android Application". The wizard will guide you through generating a key and signing your binary.
     
  3. AlanFM

    AlanFM Lurker
    Thread Starter
    Rank:
    None
    Points:
    5
    Posts:
    3
    Joined:
    May 9, 2012

    May 9, 2012
    3
    0
    5
    Thanks for the info George. I will try and do what you suggested.

    I actually did install eclipse and the ADT tools, as per the android developer instructions. But once I launched it I was a bit overwhelmed (I have zero programming/engineering experience).

    One last bit if you dont mind.. Does the debug app the developers have sent me include a key already, or is it something you just need when you are building the release version?

    Thanks again,
    Alan
     
  4. GeorgeN

    GeorgeN Well-Known Member
    Rank:
    None
    Points:
    73
    Posts:
    132
    Joined:
    Apr 16, 2012

    Apr 16, 2012
    132
    38
    73
    Male
    London
    When you install the ADT tools it will auto-magically generate a debug key which is used for signing applications during development. Any binaries signed with that key will expire after 1 year.

    All applications are signed with one sort of key or another.
     
  5. AlanFM

    AlanFM Lurker
    Thread Starter
    Rank:
    None
    Points:
    5
    Posts:
    3
    Joined:
    May 9, 2012

    May 9, 2012
    3
    0
    5
    Thanks again George. I'll give it a try see if I can do this..
     

Share This Page

Loading...