Sign Android APKs

Details

APKs should be signed correctly with a non-expired certificate.

Remediation

  • Sign a production app with a production certificate, not a debug certificate
  • Make sure the certificate includes a sufficient validity period (i.e., won’t expire during the expected lifespan of the app)
  • Google recommends that your certificate use at least 2048-bit encryption
  • Make sure the keystore containing the signing key is properly protected
  • Also, restrict access to the keystore to only those people that absolutely require it

Here’s an example of a Keytool command that generates a private key:

  1. $ keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

References

CWE/OWASP