January 28, 2021

Tech updateCode signingSignServer Enterprise

Android signing schemes, compliance and crypto-agility

Android signing schemes, compliance and crypto agility

Billions of Android devices are in the field and the number is growing year by year. Typically, there is also a new version of the Android operating system released every year, the latest one being Android 11. Android 11 introduces a new application signing scheme referred to as v4. This is good news for Android developers and users, but it needs to be managed by developers, in addition to the previous Android application signing schemes. Android application signing is an essential part of securely developing, distributing and installing android applications and it is a pre-requisite for any application that is to be installed on an Android device. The technology used for Android application signing has continuously evolved by the introduction of new signing schemes. The core idea here is that, while developing and distributing apps within the Android ecosystem, security and trust for the signing schemes should be maintained by a crypto-agile code signing approach. In addition to the original v1 signing schema that is identical to JAR signing, Android applications may now be signed with v2, v3 and v4 signing schemes. Android versions until Android 6 used Android v1 signing scheme. Android 7 introduced v2 signing scheme. Android 9 introduced v3 signing scheme and Android 11 introduced v4 signing scheme. For maximum compatibility and security, Android developers are recommended to sign their applications with all signing schemes. Features in the later signing schemes also improve the user experience when installing Android applications. Android application signing is based on certificates and RSA or ECDSA keys.

Android signing with PrimeKey SignServer

PrimeKey SignServer is a server-side code signing solution that is multi-tenant and supports multiple code signing formats. SignServer supports Android signing and the Android application can be signed with one or multiple signing scheme versions in one single signing request. The signing process is simple and effective. Typically, as a part of the release process, the Android application to be signed is sent to PrimeKey SignServer over a TLS protected connection. The signed application is returned by SignServer and an audit log is generated on the server. After this process, the application is ready to be uploaded to the Google Play store. Many developers are storing encryption keys in local key stores but this causes risks for the keys to be compromised and it is difficult to harmonize security policies for control and compliance. SignServer uses an HSM for centrally generating and storing all Android application signing keys. 

Learn more about how to set up Android signing in PrimeKey SignServer