Mobile Apps Development

iOS + Android Code Signing: What You Need To Know

November 19, 2019

Mobile app development is fun … until code signing, which is a really painful and cumbersome task that mobile developers cannot run away from, unless you completely understand how it works. In this article, we’ll talk about how code signing works on the iOS + Android platforms.

What is code signing?

code signing
Figure 1. Components of iOS Code Signing

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity. In the case of mobile apps, users can be assured that the apps they download from the App Store or Google Play Store are from the developers they trust, without worrying too much about security.

iOS Code Signing

To build and deploy an app to the App Store, we need to have the development and distribution certificates. To do that, a Certificate Signing Request (CSR) needs to be generated. CSR is the process of requesting certificates from the Certificate Authority (CA – which is Apple) so that Apple can verify the details of who is requesting an issue of the developer certificate (if the details are correct). A CSR file is created from a local macOS machine, along with a pair of private & public key (the applicant keeps the private key secret). It has a .certSigningRequest extension and typically includes the certificate request information, signature algorithm, and a public key of the requester.

Next, we need to submit our CSR to create a new certificate (development/distribution) on the Apple Developer Portal. The certificate will have an extension of .cer. You can download the certificate and install it in Keychain Access by double-clicking on it. Basically, the certificate has all the data that we have provided while creating the certificate signing request (email, name, country). Apple then adds some signer data like authority, expiry date, etc. 

Having the certificate alone can’t code sign an iOS app

We need the other components in the signing process: provisioning profiles & entitlements.

code signing
Figure 2. List of entitlements (capabilities)

The app’s entitlements or capabilities are configured to specify which resources of the system that app is allowed to use and under what situation, for example iCloud, Push Notifications, Apple Pay, Siri, etc.

If certificates are all about our identities (as developers), then provisioning profiles are all about our apps. A provisioning profile contains these pieces of information:

  • Team ID
  • Bundle ID
  • App ID
  • Entitlements
  • Developer certificates
  • Provisioned devices in the list of UDIDs (for development certificate. In the case of distribution certificate, there’s no provisioned devices)
code signing
Figure 3. Summary of iOS Code Signing process
(Source: iOS Code Signing & Provisioning in a Nutshell)

After we have the certificates and provisioning profiles ready

We can now move to the next steps of code signing. First, all parts of the code will be hashed to make a “seal” to ensure integrity. The hashes will then be encrypted using the signer’s private key. The encrypted hashes along with the signer’s certificate represent the digital signature that is stored in the app. This is the end of the code signing process.

When a user downloads & installs an app from App Store, the provisioning profiles are pushed to that user’s device. iOS will proof if everything is correctly configured. It means that the Provisioning Profile should include the Certificate you used to sign the aApp, the app ID is correct, your device is in the list of provisioned devices (in the case of development certificate), etc. If one of the above checks fails, the app can’t be opened on the device!

Android Code Signing

As opposed to the complexity of the iOS code signing process, the Android one is somewhat easy to comprehend. But first, you will need to know about Google Play’s app signing.

App signing is a process by Google Play to manage and protect your app’s signing key for you and uses it to sign your APKs for distribution. It’s an opt-in process, meaning you can choose whether to have it or not (having it is recommended though). Doing so will benefit you as follows: 

  • Use the Android App Bundle and support Google Play’s Dynamic Delivery (will be covered in later topics). The Android App Bundle makes your app much smaller, your releases simpler, and makes possible dynamic features and instant experiences.
  • Increase the security of your signing key, and make it possible to use a separate upload key to sign the app bundle you upload to Google Play.
code signing
Figure 4. Signing an app with app signing by Google Play

App signing process uses two keys: upload key and app signing key (the naming is quite confusing). The upload key is to sign your app for upload to Google Play, and will be kept by you in your secured storage. When you sign the app using your upload key and upload it to Google Play, Google Play will replace the key with the app signing key before distribution.

By using a separate upload key, you can request an upload key reset if your key is lost or compromised. If you’re not opted-in to app signing by Google Play and you lose your upload key, your ability to update your app is simply lost forever. In this case, Google will simply utilize your upload key for distribution.

You can generate upload key using the following command

This command prompts you for passwords for the keystore and alias,along with some additional information. It then generates the keystore as a file called my-upload-key.keystore (with the alias of my-key-alias). This key will be valid for 10000 days.

After that, you can generate your app’s APK (or App Bundle), submit it to Google Play and opt-in to app signing by letting Google create and manage your app signing key. The first key that you use to upload your app will become the official upload key, and you should use that key for future releases. Google will generate an app signing key for you to manage the app distribution.

If you are looking for an awesome software outsourcing company, look no further than Designveloper. We offer a wide range of services such as web design, software development, and business consultant.

Why code sign iOS apps?

In summary, code signing makes the apps secure for users. Code signing ensures that nothing has been changed since the developer signed the code. There is no chance of an attacker changing the code when it has been written by the developer.

Code signing makes the user feel safe whilst using the app, providing the app has been developed by trusted developers. Every developer or organization who wants to develop iOS apps needs a certificate from Apple to make apps.

What we need for code signing?

For code signing we need. The short version is here.

  • Send package to the distributor.
  • Create the Java Development Kit (JDK) file.
  • Sign our app bundle or APK with our private key.
  • Modify the build.gradle

What is required to code sign apps?

There are various things that people at DSV need to code sign our iOS apps. They will briefly address each one.

Certificate Signing Request (CSR)

The CSR needs to be sent to the (CA), which is Apple for the iOS platform. The developer needs to create a (CSR) from their local machine. Anyone can create a CSR from their local macOS machine using the Keychain:

  • Fill in your details (email, name, country, etc.).
  • Specify a filename and click Save.
  • Select the option Save to disk.
  • Click Continue and the Certificate Assistant generates a CSR and saves the file to your computer.

Provisioning profiles

The provisioning profile is a combination of the Team ID, Bundle ID, App ID, Device ID and Entitlements.

  • the app can only run trust based on the certificate embedded in the provisioning profile.
  • an app with that app ID can run on certain devices included in the provisioning profile.
  • a specific app with an App ID.
  • the app should only have those entitlements defined in the provisioning profile.

Provisioning profiles can also be created for development as well as distribution certificates.

Certificate

iOS development certificates are usually associated with private keys. As a developer, you can create a certificate for development or distribution. However, distribution certificates are used to release apps to the App Store that can run on any device. The development certificate can use to develop apps internally, which are deployed on internal devices.


REFERENCES

  • https://en.wikipedia.org/wiki/Code_signing
  • https://dzone.com/articles/ios-code-signing-part-1-getting-started
  • https://developer.android.com/studio/publish/app-signing
  • https://medium.com/ios-os-x-development/ios-code-signing-provisioning-in-a-nutshell-d5b247760bef

An article by sontl – thainx.

Also published on

Share post on

Get in touch

Simply register below to receive our weekly newsletters with the newest blog posts