Overview of Security Concepts

As we said earlier, Android requires that applications be signed with a digital certificate. One of the benefits of this requirement is that an application cannot be updated with a version that was not published by the original author. If we publish an application, for example, then you cannot update our application with your version (unless, of course, you somehow obtain our certificate and the password associated with it). That said, what does it mean for an application to be signed? And what is the process of signing an application?

You sign an application with a digital certificate. A digital certificate is an artifact that contains information about you, such as your company name, address, and so on. A few important attributes of a digital certificate include its signature and public/private key. A public/private key is also called a key pair. Note that although you use digital certificates here to sign .apk files, you can also use them for other purposes (such as encrypted communication). You can obtain a digital certificate from a trusted certificate authority (CA) and/or generate one yourself using tools such as the keytool, which we'll discuss shortly. Digital certificates are stored in keystores. A keystore contains a list of digital certificates, each of which has an alias that you can use to refer to it in the keystore.

Signing an Android application requires three things: a digital certificate, an .apk file, and a utility that knows how to apply the signature of the digital certificate to the .apk file. As you'll see, we use a free utility that is part of the Java Runtime Environment (JRE) distribution called the keytool. This utility is a command-line tool that knows how to sign a .jar file with a digital certificate.

Now let's move on and talk about how you can sign an .apk file with a digital certificate.

0 0

Post a comment