Signing android app for secure content provider

Always was curious how to manage android keystore sertificates for multiple apps, either generate separate keystore file each time, or just use multiple alias in the same keystore.

Now its time to make it clear.

To make it clear, i’ve created sample app with multiple flavours. Each flavour can be installed on device, and they does not run in the same process, so fingerprint of keystored should be different, can we do this using aliases? Lets check. To make sure everything works, i’ll use secured content provider based on signature level verification

Flavors config:

Generate our keystore with multiple aliases:

keytool -genkey -v -keystore release_key.keystore -alias flavor1 -keyalg RSA -keysize 2048 -validity 10000

Add another alias to the keystore

keytool -genkey -v -keystore release_key.keystore -alias flavor2 -keyalg RSA -keysize 2048 -validity 10000

Configure two signing configs:

Configure release signing for both flavors:

Each flavor has its own content provider, which is secured by signature level permission

Code for content provider is quite simple, it just return empty MatrixCursor

Flavor2 will try to get access to Flavor1 content provider

Now its time to install both apps, and check if Flavor2 does NOT have access to Flavor1 data. And its true, everything works well as expected. To get access to Flavor1 data from Flavor2 we need to sign it with Flavor2 signingConfig.

Code is available on GitHub

 

Leave a Reply

Your email address will not be published. Required fields are marked *