-2

I am developing an Android app and to test in app purchases I had to set up its page in Google Play Developer console. This required me to upload an .apk, so I uploaded a blank project created IntelliJ IDEA. IntelliJ has an option to sign with its default certificate (whose password is public), I used this option thinking it doesnt matter because I would later upload my app signed with my own certificate.

But to my best knowledge Google does not allow me to change the .apk's signing certificate after the app is published (I published to closed alpha testing). My only option would be to create a new app in Google Play console, but that needs to have a different app ID, and I really do not want this.

What kind of risks does it involve if I release my app and everyone can find out the password for the certificate I used to sign my app (and they can download the certificate too)? Are there any?

sydd
  • 1,824
  • 2
  • 30
  • 54
  • 2
    Why the downvotes? This is a valid question, has not been answered in SO and can affect anyone, for example if their servers are compromised – sydd Feb 22 '16 at 14:03
  • It has nothing to do with where to store the app key. Its about the implications of your app key getting public. – sydd Feb 26 '16 at 10:22

1 Answers1

4

The only risks I can think of with publishing an APK signed with a known key are:

  1. If someone has the password for your Google account, they could log in and publish updates to your app because they can also sign an APK with the same you originally used.

  2. If your app was installed on a device, someone could sideload an update to it, and Android would allow it the app ID and signature both match. This sideloaded app would then have access to all the user data created in the prior installation of the app.

If it was me making the decision whether or not to publish with this key, I would just create a new app id. Consumers really don't care about that string and probably never even see it.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441