Keystore: Its Importance, Use, and Creation

Why Do I Need Keystore?

Read this info taken from the Android Developer docs about Securing Your Private Key:


Maintaining the security of your private key is of critical importance, both to you and to the user. If you allow someone to use your key, or if you leave your keystore and passwords in an unsecured location such that a third-party could find and use them, your authoring identity and the trust of the user are compromised.If a third party should manage to take your key without your knowledge or permission, that person could sign and distribute applications that maliciously replace your authentic applications or corrupt them. Such a person could also sign and distribute applications under your identity that attack other applications or the system itself, or corrupt or steal user data.Your private key is required for signing all future versions of your application. If you lose or misplace your key, you will not be able to publish updates to your existing application. You cannot regenerate a previously generated key. Your reputation as a developer entity depends on your securing your private key properly, at all times, until the key is expired. Here are some tips for keeping your key secure:

  • Select strong passwords for the keystore and key.
  • When you generate your key with Keytool, do not supply the -storepass and -keypass options at the command line. If you do so, your passwords will be available in your shell history, which any user on your computer could access.
  • Similarly, when signing your applications with Jarsigner, do not supply the -storepass and -keypass options at the command line.
  • Do not give or lend anyone your private key, and do not let unauthorized persons know your keystore and key passwords.
  • Keep the keystore file containing your private key that you generate with the Keytool in a safe, secure place.

In general, if you follow common-sense precautions when generating, using, and storing your key, it will remain secure.


 

How to Generate a Keystore

Generate Random Password

Clicking on this link: Random.org random strings is a really easy way to do this. Strings generated at this link will be 100 strings 16 characters in length and contain a mix of upper- & lowercase alpha chars as well as digits.

Generate keystore file

Android Developer Docs – App Signing

keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

 

Configure Gradle to use the keystore

Modify your app’s build.gradle to reflect the keystore details

signingConfigs {
    release {
        storeFile file("KEYSTORE.FILENAME")
        storePassword "RANDOMLY GENERATED PASSWORD"
        keyAlias "KEY ALIAS"
        keyPassword "SAME AS STOREPASSWORD"
    }
}

 

If a keystore is lost or compromised:

! This How-To is not intended for generating a keystore for an app that has already been deployed.

  • – A new keystore would need to be created.
  • – The APK would need to be signed with the new key.
  • The old application would have to be removed from Google Play Store.
  • – A new application would have to be created in the Google Play Store.

Interesting in doing this for a living?

SEE OUR JOB OPENINGS