Technical Community

iOS + Android Code Signing: What You Need To Know

November 19 ,2019

Mobile app development is fun … until code signing, which is a really painful and cumbersome task that mobile developers cannot run away from, unless you completely understand how it works. In this article, we’ll talk about how code signing works on the iOS + Android platforms.


What is code signing?

code signing
Figure 1. Components of iOS Code Signing


Code signing
is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity. In the case of mobile apps, users can be assured that the apps they download from the App Store or Google Play Store are from the developers they trust, without worrying too much about security.


iOS Code Signing

To build and deploy an app to the App Store, we need to have the development and distribution certificates. To do that, a Certificate Signing Request (CSR) needs to be generated. CSR is the process of requesting certificates from the Certificate Authority (CA – which is Apple) so that Apple can verify the details of who is requesting an issue of the developer certificate (if the details are correct). A CSR file is created from a local macOS machine, along with a pair of private & public key (the applicant keeps the private key secret). It has a .certSigningRequest extension and typically includes the certificate request information, signature algorithm, and a public key of the requester.

Next, we need to submit our CSR to create a new certificate (development/distribution) on the Apple Developer Portal. The certificate will have an extension of .cer. You can download the certificate and install it in Keychain Access by double-clicking on it. Basically, the certificate has all the data that we have provided while creating the certificate signing request (email, name, country). Apple then adds some signer data like authority, expiry date, etc. 

Having the certificate alone can’t code sign an iOS app, we need the other components in the signing process: provisioning profiles & entitlements.

code signing
Figure 2. List of entitlements (capabilities)


The app’s
entitlements or capabilities are configured to specify which resources of the system that app is allowed to use and under what situation, for example iCloud, Push Notifications, Apple Pay, Siri, etc.

If certificates are all about our identities (as developers), then provisioning profiles are all about our apps. A provisioning profile contains these pieces of information:

  • Team ID
  • Bundle ID
  • App ID
  • Entitlements
  • Developer certificates
  • Provisioned devices in the list of UDIDs (for development certificate. In the case of distribution certificate, there’s no provisioned devices)
code signing
Figure 3. Summary of iOS Code Signing process
(Source: iOS Code Signing & Provisioning in a Nutshell)


After we have the certificates and provisioning profiles ready, we can now move to the next steps of
code signing. First, all parts of the code will be hashed to make a “seal” to ensure integrity. The hashes will then be encrypted using the signer’s private key. The encrypted hashes along with the signer’s certificate represent the digital signature that is stored in the app. This is the end of the code signing process.

When a user downloads & installs an app from App Store, the provisioning profiles are pushed to that user’s device. iOS will proof if everything is correctly configured. It means that the Provisioning Profile should include the Certificate you used to sign the aApp, the app ID is correct, your device is in the list of provisioned devices (in the case of development certificate), etc. If one of the above checks fails, the app can’t be opened on the device!


Android Code Signing

As opposed to the complexity of the iOS code signing process, the Android one is somewhat easy to comprehend. But first, you will need to know about Google Play’s app signing.

App signing is a process by Google Play to manage and protect your app’s signing key for you and uses it to sign your APKs for distribution. It’s an opt-in process, meaning you can choose whether to have it or not (having it is recommended though). Doing so will benefit you as follows: 

  • Use the Android App Bundle and support Google Play’s Dynamic Delivery (will be covered in later topics). The Android App Bundle makes your app much smaller, your releases simpler, and makes possible dynamic features and instant experiences.
  • Increase the security of your signing key, and make it possible to use a separate upload key to sign the app bundle you upload to Google Play.
code signing
Figure 4. Signing an app with app signing by Google Play


App signing process uses two keys: upload key and app signing key (the naming is quite confusing). The upload key is to sign your app for upload to Google Play, and will be kept by you in your secured storage. When you sign the app using your upload key and upload it to Google Play, Google Play will replace the key with the app signing key before distribution. By using a separate upload key, you can request an upload key reset if your key is lost or compromised. If you’re not opted-in to app signing by Google Play and you lose your upload key, your ability to update your app is simply lost forever. In this case, Google will simply utilize your upload key for distribution.

You can generate upload key using the following command:

This command prompts you for passwords for the keystore and alias,along with some additional information. It then generates the keystore as a file called my-upload-key.keystore (with the alias of my-key-alias). This key will be valid for 10000 days.

After that, you can generate your app’s APK (or App Bundle), submit it to Google Play and opt-in to app signing by letting Google create and manage your app signing key. The first key that you use to upload your app will become the official upload key, and you should use that key for future releases. Google will generate an app signing key for you to manage the app distribution.

If you are looking for an awesome software outsourcing company, look no further than Designveloper. We offer a wide range of services such as web design, software development, and business consultant.


REFERENCES

https://en.wikipedia.org/wiki/Code_signing

https://dzone.com/articles/ios-code-signing-part-1-getting-started

https://medium.com/ios-os-x-development/ios-code-signing-provisioning-in-a-nutshell-d5b247760bef

https://developer.android.com/studio/publish/app-signing


An article by sontl – thainx.

Also published on

Share post on