Search code examples
android-studiosecuritykeystore

Is it safe to keep generated keystore file in android studio project?

A few months ago, I decided to put my app on the playstore. Which meant I needed to make a generated keystore file (The file extension was .jks). And I kept that file in some different directory. And I refrenced it here:

android {
    signingConfigs {
        debug {
            storePassword 'Store password'
            keyAlias 'The key alias'
            storeFile file('TheDirectoryPathItIsIn/MyKeyStore.jks')
            keyPassword 'The password'
        }
    }

....

}

And I successfully put it on Google play store. So everything was good. A few months later, I had someone else pull my repo in git (Which means they just get the code) and run my app on another device using android studio aswell. But it threw an error when running, saying that 'TheDirectoryPathItIsIn/MyKeyStore.jks' was not found. So I moved the keystore file into my Android Studio project (MyAndroidStudioProject/MyKeyStore.jks) and referenced it as storeFile file('./MyKeyStore.jks'). And then no errors showed, but ever since, I've wondered, is it bad to store the generated keystore file in your android studio project, for security reasons. And if so, where to store it?

I don't really know what the keystore file (.jks) is for. Since it doesn't actually say much, It is just symbols. So any explanation on that would be great.

Solution

  • A couple of things to note here.

    1. You asked what the KeyStore is for. Every app has a unique signature that identifies it as being authentic. When a user updates your app, they can only install a new version when it is signed with the same key. This prevents malicious parties from compromising app updates by distributing modified versions. Read more about this here: https://developer.android.com/studio/publish/app-signing

    2. To answer your title question: As long as the Git repository is private, and only you (and other members of your development team) can access it, it is ok to leave the KeyStore in the repository, especially when it is encrypted with a secure password. For additional security though, it should be kept separate, and it should never be uploaded to a public Git repository. But back it up well, as without it, you won't be able to publish app updates for this app anymore.

    3. Regarding the error your colleague experienced, that is because you have entered the KeyStore as debug key. That is not necessary, you can usually debug your app fine with the default debug key. You definitely shouldn't publish the debug version, you should publish an app built in release mode, either with a Gradle script, or by selecting "Build" → "Generate signed Bundle / APK", which will ask you for a KeyStore without the need to modify Gradle files. See also: https://developer.android.com/studio/publish/preparing#publishing-build