A distributor is asking for an unsigned version of my app’s apk. Is there some security risk I am taking if I give it to him? I’m not really sure of the purpose of the signature.
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
A distributor is asking for an unsigned version of my app’s apk. Is there some security risk I am taking if I give it to him? I’m not really sure of the purpose of the signature.
The digital signature is used to verify the installation of the app.
Android’s app system is built in such a way that once an app is installed, any updates being installed must have the same digital signature attached to them. If the update has been signed by a different key, then Android will not allow its installation. This is done to prevent your app from being replaced with a malicious app posing as yours. As the malicious app will not share the same signature, it cannot replace your app.
Additionally, App stores like Google Play will not allow you to upload an apk as an update to the app if it isn’t signed with the same key.
Distributing an unsigned apk shouldn’t pose a threat to you per se, but if someone can get hold of your signing key, they can cause a lot of damage. I don’t see a problem with giving the distributor the apk, but make sure that your signing keys stay with you, especially if you use one for multiple apps.