Given that I want to support all android devices which are, say, Froyo or later, what's the most secure signing algorithm I can use? I do not need to place my APK in Android Market.
I know, for instance, that some phones support sha1withrsa
but not sha256withrsa
(Link).
Please refer to the android dev guide on signing.
The current default method is SHA1withRSA
:
$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name
while a few years ago the signing method recommended was MD5withRSA
.
[...] what's the most secure signing algorithm I can use?
Are you concerned with some specific attack that makes you think that SHA1withRSA
or SHA256withRSA
would be more secure? I can't foresee any scenario.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With