Android application signing is based on certificates and RSA or ECDSA keys.

Android application signing is an essential part of securely developing, distributing and installing android applications and it is a pre-requisite for any application that is to be installed on an Android device. The technology used for Android application signing has continuously evolved by the introduction of new signing schemes. The core idea here is that, while developing and distributing apps within the Android eco system, security and trust for the signing schemes should be maintained by a crypto agile code signing approach. In addition to the original v1 signing schema that is identical to JAR signing, Android applications may now be signed with v2, v3 and v4 signing schemes.

Android versions until Android 6 used Android v1 signing scheme. Android 7 introduced v2 signing scheme. Android 9 introduced v3 signing scheme and Android 11 introduced v4 signing scheme. For maximum compatibility and security, Android developers are recommended to sign their applications with all signing schemes. Features in the later signing schemes also improve user experience when installing Android applications.

Read our Tech Update to learn more:

Android signing schemes, compliance and crypto agility