Menu
The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application's developer. How specifically does the public key be distributed to client Android devices? Is the public key contained in apk when developers release the app? If so, where is the key stored?
Or does Android market,e.g. Google play, hold a list of developer id coupled with corresponding public key and push the right key to client devices when an app is downloaded?
Is there any docs convey this information?
Thanks a lot for any inputs.
354
The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the keystore, they can be used for cryptographic operations with the key material remaining non-exportable.
To obtain the public key from the Android Keystore use java. security. KeyStore#getCertificate(String) and then Certificate#getPublicKey() . To help obtain algorithm-specific public parameters of key pairs stored in the Android Keystore, its private keys implement java.
In the menu bar, click Build > Generate Signed Bundle/APK. In the Generate Signed Bundle or APK dialog, select Android App Bundle or APK and click Next. Below the field for Key store path, click Create new. On the New Key Store window, provide the following information for your keystore and key, as shown in figure 2.
The public key is distributed within the apk file. If you unarchive an apk file you can find there a special folder called META-INF where all information about the signature is contained. Basically, you need to explore files with extensions *.RSA and *.DSA, which contain signature of the package along with public key.
You can read these two article (one, two) to understand the process
67
http://developer.android.com/google/play/licensing/adding-licensing.html#account-key
Some parts of the link will resolve your question Embed your public key for licensing
For each application, the Google Play service automatically generates a 2048-bit RSA public/private key pair that is used for licensing and in-app billing. The key pair is uniquely associated with the application. Although associated with the application, the key pair is not the same as the key that you use to sign your applications (or derived from it).
The Google Play Developer Console exposes the public key for licensing to any developer signed in to the Developer Console, but it keeps the private key hidden from all users in a secure location. When an application requests a license check for an application published in your account, the licensing server signs the license response using the private key of your application's key pair. When the LVL receives the response, it uses the public key provided by the application to verify the signature of the license response.
To add licensing to an application, you must obtain your application's public key for licensing and copy it into your application. Here's how to find your application's public key for licensing:
Go to the Google Play Developer Console and sign in. Make sure that you sign in to the account from which the application you are licensing is published (or will be published). In the application details page, locate the Services & APIs link and click it. In the Services & APIs page, locate the Licensing & In-App Billing section. Your public key for licensing is given in the Your License Key For This Application field. To add the public key to your application, simply copy/paste the key string from the field into your application as the value of the String variable BASE64_PUBLIC_KEY. When you are copying, make sure that you have selected the entire key string, without omitting any characters.
Here's an example from the LVL sample application:
public class MainActivity extends Activity {
private static final String BASE64_PUBLIC_KEY = "MIIBIjANBgkqhkiG ... "; //truncated for this example
...
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
