How To Privately Sign Secured or Shielded Android Apps

 

Signing Android applications is required in order to install the applications on mobile devices. Many individuals sign within their development and integration platform, but some are required to sign the app on designated computers in order to preserve the signing credentials within a trusted environment. This Knowledge Base article summarizes the steps required to Privately Sign Secured or Shielded Android Apps.

We hope you find it useful and enjoy using Appdome!

3 Easy Steps to Privately Sign Secured or Shielded Android Apps

Follow these step-by-step instructions to privately sign secured or shielded Android apps.

  1. Chose Private Signing as the signing method on the Appdome platform
  2. Enter the certificate fingerprint
    NOTE: The certificate fingerprint is obtained using a java keytool described in the next section. Once you obtain the fingerprint, you can paste it with or without colon (:) separators.
    NOTE: The hint is the fingerprint of the signing certificate of the application as it was uploaded to Appdome. If you are signing before and after Appdome with the same credentials, the hint will suffice.
  3. Click the link Private Signingprivate signing - signing apps locally (optional) To save the signing method on your fusion set, mark the checkbox.

Next, you need to verify your certificate fingerprint and click Private Signing.


Once Sealing the application for Anti Tampering is complete, you can download the application and Deploy it.

fusion success message appdome private signing

Prerequisites to Privately Sign Secured or Shielded Android Apps

  1. An Android signing certificate, you can use the information in these resources on how to create a self-signed certificate Keystore.
  2. Using Google Play and your Own Keystore
  3. Signing Android Apps with Private Keys and Certificates
  4. Appdome account
  5. Appdome-GO access
  6. Built Mobile app

How to Obtain the Certificate Fingerprint for Appdome Anti-Tampering

The fingerprint is a one-way hash of the certificate stored in the Android signing Keystore.
To get the fingerprint required by Appdome when signing Android Apps off the Appdome platform, from your workstation run:

keytool -list -v -keystore <path_to_keystore> -storepass <store pass> -alias <alias>

Or, another method:

keytool -list -printcert -jarfile <path_to_app>

NOTE: The SHA1 or the SHA256 of the signature is marked inside it.  It is a public identifier that can be extracted from the signed .apk as well.

For example, the output should look like this:

test-alias, Nov 20, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1):BE:D2:E3:17:9F:20:9A:F9:CF:55:E8:31:21:8C:7E:C7:7F:87:62:26

NOTE: You will need to copy-paste this fingerprint into the certificate fingerprint field on Appdome when choosing the option to sign manually. 

Using Appdome’s Auto-DEV Private Signing Script

Prerequisites

  1. An Android signing certificate, you can use the information in these resources on how to create a self-signed certificate Keystore.
  2. Using Google Play and your Own Keystore
  3. Signing Android Apps with Private Keys and Certificates
  4. Appdome account
  5. Appdome-DEV access
  6. Built Mobile app

How to Use Appdome-DEV Private Signing Script

With this private signing script, you can obtain from Appdome, this will allow users to sign apps that were Built on Appdome without having to upload signing certificates to Appdome.

Here is a link to a great Article on Appdome’s Auto-DEV Private Signing Android Apps Script.

Here’s another link to a great Article on Auto-DEV Private Signing iOS Apps Script.

Signing a Secured Android APK App on your Workstation

Once you have downloaded the Built app from Appdome, you can sign the app on your workstation by running:

zipalign -f 4 <path_to_apk> <path_to_apk>-aligned.apk
mv <path_to_apk>-aligned.apk <path_to_apk>
apksigner sign --ks <path_to_keystore> --ks-pass pass:<store pass> --ks-key-alias <alias> --key-pass pass:<key pass> --v2-signing-enabled --v1-signing-enabled <path_to_apk>

After signing, your app is ready to deploy.

Signing a Secured Android AAB App on your Workstation

Once you have downloaded the Built app from Appdome, you can sign the app on your workstation by running:

jarsigner <path_to_AAB> -sigalg SHA256withRSA -digestalg SHA-256 -keystore <path_to_keystore> <alias> -storepass <store pass> -keypass <key pass> -signedjar signed_AAB.aab

After signing, your app is ready to deploy it to the Play store.

Signing an Android app on Appdome

You can always sign an Android app after Fusing on Appdome!  Here is a link with more information on how to accomplish this.

To zoom out on this topic, visit the Appdome Platform section on our website.

Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Paul Levasseur

Have a question?

Ask an expert

CheriseMaking your security project a success!

Get Your Copy
2021 Global Mobile
Consumer Security
Survey