Menu
I'm using a keystore (.jks) to store the certificate I use to sign my Android applications. The Android documentation and community have impressed on me the importance of never losing this file, but I haven't found any guidance on where I should keep it.
Would storing it in Git be a terrible idea (i.e. would it have security consequences)?
Assume that the keystore itself and the private keys inside both have strong passwords on them.
379
Keystore file is stored and secured in Google play. Your APKs will be signed by Google Play with app signing key and published to users. Even if you lost your upload key you can contact with Google and you can update your application after validating your account.
Since the keystore file is secured with a password, we have used the brute-force and the dictionary attack to crack the password of the keystore file in Ethereum wallets. Our results showed that the dictionary attack is more efficient to hack the keystore file than the brute-force attack.
keystore and . jks are just file extensions: it's up to you to name your files sensibly. Some application use a keystore file stored in $HOME/. keystore: it's usually implied that it's a JKS file, since JKS is the default keystore type in the Sun/Oracle Java security provider.
If we need to manage keys and certificates in Java, we need a keystore, which is simply a secure collection of aliased entries of keys and certificates.
Anyone with read access to your Git repo will get the private key. This is considered a security issue and for that reason it is not recommended. If your GIT repo is completely private meaning no one but you has access to it (NOT A private repo on i.e. GitHub, but rather git repo on local disk or in the infrastructure you control in 100%) then putting your private key there is as safe as keeping it on your local disk.
Assume that the keystore itself and the private keys inside both have strong passwords on them
Note that password is your last way of defense in case of your ("public") private key. If it will be compromised in any way (guessed, stolen, cracked) then it's over.
Additionally, I am more than certain that not all (if any) of devs needs access to release keys. If you need them to have it, hand it off the repo. But I'd first rethink the security policy.
166
To update your App you need two things:
By putting the certificate into your repository and sharing it with your developers you are giving up one security token.
If your Google Play Dev Console account is secure then you should be fine. But it depends on your szenario.
Putting it into the repository is much easier:
Many people prefer putting it on one or many SD Cards and put it somewhere. But most people don't have a place called "somewhere" in their office. Can it still be read in a few years?
Two more consideration:
If the product owner of the android app changes in your company you never know if the old owner still has a copy and nobody knows who has access to it already. You can't change the key. So if the key is once passed from one person to another, it must be assumed insecure.
Of course, you can keep it completely private. It is secured by your password which nobody knows. But what happens if you die? Someone might want to update your app. It is not possible. A private key which is kept private is lost when you die.
So I think putting it in your repository is fine. Take care to secure your Google account. For this account the password can be changed, two-faktor can be activated and so on.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
