Hi,
I received a security warning from Google.
They say my app contains an embedded private key. This makes it possible for bad guys to replace my app for a mallware app.
My keystore file is not listed in the file list of the basic for android project. (assets). So I think it is not embedded by keystore file. I only have .bal .pdf .jpg and .png files in the assets file list.
The only place where I created the private key was in menu tools/private sign key
I choose for load existing key, browsed for the file and entered the password.
Why did google find the key in assets? And what do I have to change?
part of the GooglePlay e-mail:
This is a notification that your app(s) ******** , contains one or more private keys or keystore files embedded in its published apk as listed at the end of this email. These embedded items can be accessed by third parties, which can raise a variety of different security concerns depending on what the key is used for. For example, if the private key is the signing key for your application, a third party could sign and distribute apps that replace your authentic apps or corrupt them. Such a party could also sign and distribute apps under your identity.
As a general security practice, we strongly recommend against embedding private keys and keystore files in apps, even if the keys are password protected or obfuscated. The most effective way to protect your private key and keystore files is not to circulate them.
Please remove your private keys and keystore files from your app at your earliest convenience. Each app is different, but if you aren't sure how to locate the keys and keystore files in your app, you can try looking for files with the "keystore" file extension and grepping for "PRIVATE KEY". For more information about keeping your key secure, please see https://developer.android.com/tools/publishing/app-signing.html.
You have a responsibility as a developer to secure your private key properly, at all times. Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.
To check if subsequent versions of your apps contain private keys, please see the Alerts section of the Google Play Developer Console at https://play.google.com/apps/publish/#AlertsPlace.
Affected apps and samples of embedded items: assets/******.keystore
I received a security warning from Google.
They say my app contains an embedded private key. This makes it possible for bad guys to replace my app for a mallware app.
My keystore file is not listed in the file list of the basic for android project. (assets). So I think it is not embedded by keystore file. I only have .bal .pdf .jpg and .png files in the assets file list.
The only place where I created the private key was in menu tools/private sign key
I choose for load existing key, browsed for the file and entered the password.
Why did google find the key in assets? And what do I have to change?
part of the GooglePlay e-mail:
This is a notification that your app(s) ******** , contains one or more private keys or keystore files embedded in its published apk as listed at the end of this email. These embedded items can be accessed by third parties, which can raise a variety of different security concerns depending on what the key is used for. For example, if the private key is the signing key for your application, a third party could sign and distribute apps that replace your authentic apps or corrupt them. Such a party could also sign and distribute apps under your identity.
As a general security practice, we strongly recommend against embedding private keys and keystore files in apps, even if the keys are password protected or obfuscated. The most effective way to protect your private key and keystore files is not to circulate them.
Please remove your private keys and keystore files from your app at your earliest convenience. Each app is different, but if you aren't sure how to locate the keys and keystore files in your app, you can try looking for files with the "keystore" file extension and grepping for "PRIVATE KEY". For more information about keeping your key secure, please see https://developer.android.com/tools/publishing/app-signing.html.
You have a responsibility as a developer to secure your private key properly, at all times. Please note, while it's unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.
To check if subsequent versions of your apps contain private keys, please see the Alerts section of the Google Play Developer Console at https://play.google.com/apps/publish/#AlertsPlace.
Affected apps and samples of embedded items: assets/******.keystore