Signing android app for secure content provider
Always was curious how to manage android keystore sertificates for multiple apps, either generate separate keystore file each time, or just use multiple alias in the same keystore.
Now its time to make it clear.
To make it clear, i’ve created sample app with multiple flavours. Each flavour can be installed on device, and they does not run in the same process, so fingerprint of keystored should be different, can we do this using aliases? Lets check. To make sure everything works, i’ll use secured content provider based on signature level verification
Flavors config:
Generate our keystore with multiple aliases:
keytool -genkey -v -keystore release_key.keystore -alias flavor1 -keyalg RSA -keysize 2048 -validity 10000
Add another alias to the keystore
keytool -genkey -v -keystore release_key.keystore -alias flavor2 -keyalg RSA -keysize 2048 -validity 10000
Configure two signing configs:
Configure release signing for both flavors:
Each flavor has its own content provider, which is secured by signature level permission
Code for content provider is quite simple, it just return empty MatrixCursor
Flavor2 will try to get access to Flavor1 content provider
Now its time to install both apps, and check if Flavor2 does NOT have access to Flavor1 data. And its true, everything works well as expected. To get access to Flavor1 data from Flavor2 we need to sign it with Flavor2 signingConfig.
Code is available on GitHub