Should I be worried if someone has my app keystore?

Question

I had my game ported from iOS to Android and I know absolutely nothing about Android. The developer I hired used his keystore file for the app. Should I be worried? And is there anything I can do about it?

Answer 1

so first is to understand your keystore Your keystore is used to generate your APK with a password and upload to the Market.

Once you have uploaded to the market that keystore and password are locked for that app. If the developer has a copy of your keystore and password, they could create an identical bundle id application and sign it with same keystore and password and steal your spot on the market.

You would get an email of course, so you could catch that they did it. Google would likely work with you on this to get it recovered and replaced.

However, you can simply opt-in for app signing on the market now to allow uploading of your current keystore to the app store. This allows you to recover if you ever lose your password or keystore info. This is a nice new feature, but won't stop you from having it stolen obviously.

Now, if the app has NOT been released to the market yet, simply create a new keystore and password and go from there.

If it is on the store, you can change the bundle id if you don't have a large user base yet, and delete the old app and create a new keystore and password for the same app with your new bundle id.

example com.mysite.myapp could become com.mysite.mynewapp

now for future reference. Please do not allow engineers to have your production password. They can help you create a keystore and then you type the password. Then move the keystore either into the repo as part of the signing or to your CI build machine for generating builds.

The password should be secure, a common way to do this is in an environment variable on the build server so only the build server assembleRelease would work as the rest would not find the local environment variable value of MY_SIGNING_KEY.

Hope that helps.