App transfer from one company to another and certificates

Question

Apps can be transferred from one company to another in both stores, Google Play and Apple Store. However, as I was told, each app has a certificate. I don't know much about this and googling confused me more than it actually helped me. I'm responsible for an app movement and the initialization of an update procedure.

Company X who gave me the task, has an app. The app was developed by DEV Company. The relationship between the two companies got a bit frozen after some time, regarding the ownership of the source code of the app. At the end, both companies agreed, that they will simply transfer the app from the store accounts owned by DEV Company to their own store accounts. To keep peace without any lawyers involved, Company X would redesign the app from scratch without using any code from the current app. Therefore, DEV Company would not handover the source code, just the APK. So Company X would create a new app and once that one goes live, deactivate the old app.

I read both documentations about app transfers on Google https://support.google.com/googleplay/android-developer/answer/6230247?hl=en-GB

and on Apple https://developer.apple.com/library/content/documentation/LanguagesUtilities/Conceptual/iTunesConnect_Guide/Chapters/TransferringAndDeletingApps.html

As long as there are no in-app purchases, there is no problem with transferring an app. However, I can't find any information regarding certificates. Do the certificates come together with the app and will automatically be transferred too or does a certificate belong to the owner of the DEV account, in that case DEV Company? This would mean that the app needs to be recompiled with a new certificate and I believe, it would mean that all users would need to update their app just for this cause, is that correct?

I found this on Apple: https://developer.apple.com/support/certificates/ But this confuses me more than it helps in that situation.

Answer 1

--- For iOS Only ---

I had a similar kind of situation, where I need to transfer my app from one iTunes account to another iTunes account.

Basically there are 4 identities associated with each iOS app:

1. Bundle Id (for ex: com.domainname.appIdentifier)

2. Provisioning profile

3. APNS Certificate (If push notifications implemented for app)

4. Account Certificate (These are developer account specific, means unique for all the app published under same account)

Now transferring the app from one iTunes account to another will migrate the app with the bundle id only. But it will not affect the current working of an app. It will work as fine as it was working before transfer.

Now if you wish to upload new version of app then you need to create new provisioning file, new APNS and you will use the account certificate of new account. (Keep in mind that you need to update the APNS certificate (.p12/ PEM file) on server for your push notification to work.)

---

Now coming to your question specifically, DEV company will transfer app to iTunes account of your company X. It will transfer the app with bundle id, means app on app store will no longer be available under DEV company's account nor they can use same bundle id again. Only your company X can use that bundle id as you get it from transfer from DEV company.

For user point of view, there will not be any change or problem with app uses. Even if you publish new version of app old app will work fine. Only problem can be with push notification functionality if you have in your app, since you will change .p12/ PEM file on your server and so old user will not get push notification without updating the app.

Do let me know if you need any more explanation on it or if you have confusion in any point.

Answer 2

For iOS app, it's necessary to have following items.

1. iOS Distribution: <XXXX company name> in key-chain.
2. Provisioning profile for app-store.
   For Xcode project configuration.
3. The app's bundle identifier.
   For Xcode project configuration. This can be found in Provisioning profile if you don't have it. You can find the method to decode the Provisioning profile to get it.

If another company only needs the ipa for uploading to App store, you need above items to produce the ipa result. If you need to upload to their App store, then you need an account in their Itunes Connect, and it has access right to upload an app to the App store.

You can make the whole thing automatically by Fastlane, a command line tool. I prefer the tutorial on the www.raywenderlich.com about Fastlane.

Answer 3

Davatar's answer is not quite right (at least for Google Play). I can't comment for anywhere but Google Play, let me try to give the correct answer for there.

An app has a certificate, which identifies the owner of the app. This is similar to an SSL certificate. The idea is to tell the end user but more importantly the Android OS, that the current version of the app was created by the same person as the original app. Otherwise anyone could update an app on a device.

So you have three options:

1. In my opinion the better option is to get the certificate from the original developer. Then the app can be transferred to the new developer account, and when a new version is released, all users will get the update
2. If the certificate cannot be handed over this is a worse situation. In this situation there is no option but to publish a new version of the app and unpublish the old version. If you do this
   • existing users will not get updates, they will have to go and install the new version manually
   • existing users will still be able to use the old app
   • existing users will still be able to install the old app (new users can't)
3. Register the app for Google Play App Signing. Then the signing and the certificate will be stored by Google. When the app is transferred, a new upload key can be created for the new owner, which has all the benefits of option 1.

As you can see, the second option is a much worse option for your client and users. Options 1 or 3 are much better.

If the app had been registered for Google Play App Signing, then this problem wouldn't exist. I strongly recommend doing this if a new app is created.

Answer 4

Alright, thanks to Allen R, who gave the answer for this case via comments.

Here's an info about signing keys on Android https://developer.android.com/studio/publish/app-signing.html and on Apple https://developer.apple.com/support/code-signing/, but that's just the explanation of app signing keys.

Basically, an app has a certificate, which identifies the creator/developer of the app. This is similar to an SSL certificate. The idea is to tell the end user, that the current version of the app was created by the original developer.

As Allen states:

You cannot resign the .apk file. You can imagine the security issues that would pose if you could do that allowing some 3rd party to use someone else's signature. The new app will not be able to overwrite the existing app with a different key.

Therefore in the current case, after transferring the app to the new account, it must be deactivated and a new one must be published. The users won't be able to use the original app anymore. If the app was properly designed, it should show an error message at startup/login/whereever possible and inform the user that the app is deprecated and the new version must be downloaded from the store.