UiPath Platform: The Backend Engine Powering Your Automation - Session 1
Android Security, Signing and Publishing
1. Signing
and
Deploying
Android
Applica1ons
Jussi
Pohjolainen
Tampere
University
of
Applied
Sciences
2. App
Signing,
Overview
• All
apps
must
be
digitally
signed
with
cer3ficate
– Iden1fying
the
author
of
the
app
• Typically
self
signed
• Debug
key
for
debugging
• Suitable
private
key
when
publishing
• Crea1ng
keys
and
signing:
Keytool
and
Jarsigner
3. Debug
Mode
• While
debugging
and
tes1ng,
you
can
compile
in
debug
mode
• Build
tools
uses
the
Keytool
u1lity
to
generate
a
key
with
known
alias
and
password.
Key
is
used
to
sign
the
.apk
file
• Developer
does
not
have
worry
about
this,
if
using
Eclipse!
4. Release
Mode
• When
ready
to
release,
developer
must
sign
the
.apk
with
your
private
key
• How?
Two
op1ons:
– Using
Keytool
and
Jarsigner
in
command-‐line.
Keytool
generates
private
key
and
Jarsigner
signs
the
.apk
with
the
key
– Using
ADT
Export
Wizard
with
Eclipse
(same
than
above
but
with
GUI)
5. Signing
for
Public
Release
1. Obtain
suitable
private
key
2. Compile
the
applica1on
in
release
mode
3. Sign
your
applica1on
with
private
key
4. Align
the
final
APK
package
6. Obtain
Suitable
Private
Key
• Private
key
– Is
in
your
possession
and
represents
your
personal
or
corporate
en1ty
– Validity
period
is
expected
lifespan
of
your
app
• Recommenda1on:
over
25
years
• Android
Market:
apps
must
have
validity
period
ending
a[er
22.10.2033
– It's
not
the
debug
key
J
8. TB308POHJUS-L-2:temp pohjus$ keytool -genkey -v -keystore my-release-key.keystore -alias my-alias -keyalg RSA -
keysize 2048 -validity 10000
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Jussi Pohjolainen
What is the name of your organizational unit?
[Unknown]: TMI Jussi Pohjolainen
What is the name of your organization?
[Unknown]: TMI Jussi Pohjolainen
What is the name of your City or Locality?
[Unknown]: Tampere
What is the name of your State or Province?
[Unknown]: Finland
What is the two-letter country code for this unit?
[Unknown]: FI
Is CN=Jussi Pohjolainen, OU=TMI Jussi Pohjolainen, O=TMI Jussi Pohjolainen, L=Tampere, ST=Finland, C=FI correct?
[no]: yes
Generating 2,048 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 10,000 days
for: CN=Jussi Pohjolainen, OU=TMI Jussi Pohjolainen, O=TMI Jussi Pohjolainen, L=Tampere, ST=Finland, C=FI
Enter key password for <my-alias>
(RETURN if same as keystore password):
[Storing my-release-key.keystore]
TB308POHJUS-L-2:temp pohjus$ ls -al
total 88
drwxr-xr-x 5 pohjus staff 170 9 Tam 18:30 .
drwx------+ 46 pohjus staff 1564 9 Tam 16:43 ..
-rw-r--r-- 1 pohjus staff 2281 9 Tam 18:28 my-release-key.keystore
TB308POHJUS-L-2:temp pohjus$
9. Signing
for
Public
Release
1. Obtain
suitable
private
key
2. Compile
the
applica3on
in
release
mode
3. Sign
your
applica1on
with
private
key
4. Align
the
final
APK
packate
11. TB308POHJUS-L-2:temp pohjus$ ls -al
total 88
drwxr-xr-x 5 pohjus staff 170 9 Tam 18:30 .
drwx------+ 46 pohjus staff 1564 9 Tam 16:43 ..
-rw-r--r-- 1 pohjus staff 16435 9 Tam 18:28 BMI.apk
-rw-r--r-- 1 pohjus staff 2281 9 Tam 18:28 my-release-key.keystore
TB308POHJUS-L-2:temp pohjus$
12. Signing
for
Public
Release
1. Obtain
suitable
private
key
2. Compile
the
applica1on
in
release
mode
3. Sign
your
applica3on
with
private
key
4. Align
the
final
APK
packate
13. Sign
your
applica1on
with
private
key
• You
now
have
the
private
key
and
the
.apk
file.
• Sign
the
.apk
with
the
private
key
using
jarsigner
• > jarsigner -verbose -keystore my-release-
key.keystore my_application.apk alias_name
15. Signing
for
Public
Release
1. Obtain
suitable
private
key
2. Compile
the
applica1on
in
release
mode
3. Sign
your
applica1on
with
private
key
4. Align
the
final
APK
packate
16. Align
the
final
APK
Package
• zipalign
tool
ensures
op1mizes
the
package
for
running
in
device:
reduc1on
of
in
the
amount
of
ram
• > zipalign -v 4 your_project_name-
unaligned.apk your_project_name.apk