Android Question Key not secure?

Scotter

Scotter

Active Member
Licensed User
I used B4A's keystore system and it works for both Amazon and Google Play store. BUT Google gives me this message:
Security Alert: Your app contains embedded private keys or keystore files

This app contains one or more private keys or keystore files embedded in its published apk as listed at the end of this message. These embedded items can be accessed by third parties, which can raise a variety of different security concerns depending on what the key is used for. For example, if the private key is the signing key for your application, a third party could sign and distribute apps that replace your authentic apps or corrupt them. Such a party could also sign and distribute apps under your identity.

As a general security practice, we strongly recommend against embedding private keys and keystore files in apps, even if the keys are password protected or obfuscated. The most effective way to protect your private key and keystore files are not to circulate them.

Please remove your private keys and keystore files from your app at your earliest convenience.
Click to expand...
Help?
 
Sort by date Sort by votes
walterf25

walterf25

Expert
Licensed User
Longtime User
Scotter said:
I used B4A's keystore system and it works for both Amazon and Google Play store. BUT Google gives me this message:

Help?
Click to expand...
Did you copy the actual physical keystore file into your project files?

If so you're not supposed to do that.

Walter
 
Upvote 0
Scotter

Scotter

Active Member
Licensed User
walterf25 said:
Did you copy the actual physical keystore file into your project files?

If so you're not supposed to do that.

Walter
Click to expand...
Thanks! I removed the keystore from files.
But now it won't fully compile:
B4X: 
Convert byte code - optimized dex.    (5.56s)
    Optimized dexer failed. Switching to Standard dexer.
Packaging files.    (0.80s)
Copying libraries resources    (0.00s)
Signing package file (private key).    Error

jarsigner error: java.lang.RuntimeException: keystore load: F:\Dropbox\Projects_B4A\_P2E App\Files\key01.keystore (The system cannot find the file specified)
 
Upvote 0
walterf25

walterf25

Expert
Licensed User
Longtime User
Scotter said:
Thanks! I removed the keystore from files.
But now it won't fully compile:
B4X: 
Convert byte code - optimized dex.    (5.56s)
    Optimized dexer failed. Switching to Standard dexer.
Packaging files.    (0.80s)
Copying libraries resources    (0.00s)
Signing package file (private key).    Error

jarsigner error: java.lang.RuntimeException: keystore load: F:\Dropbox\Projects_B4A\_P2E App\Files\key01.keystore (The system cannot find the file specified)
Click to expand...
The reason you get this error is because you removed the keystore file from the location you had it.
Just create another directory outside of your project files, for example you can create it in your C:\ drive, and copy the keystore file in that directory, don't forget to change the location of the keystore file under Tools\Private Sign Key in the IDE.

Regards,
Walter
 
Upvote 0
Scotter

Scotter

Active Member
Licensed User
Or should I put this info somewhere in my project:
B4X: 
Scott Swain
ClearSay
US
--pw here--
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: b4a
Creation date: Dec 12, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Scott Swain, O=ClearSay, C=US
Issuer: CN=Scott Swain, O=ClearSay, C=US
Serial number: --sn here--
Valid from: Wed Dec 12 19:24:17 CST 2018 until: Wed Apr 11 20:24:17 CDT 2057
Certificate fingerprints:
--stuff here--
     Signature algorithm name: SHA1withDSA
     Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
--stuff here--
]
]
*******************************************
*******************************************
 
Upvote 0
Scotter

Scotter

Active Member
Licensed User
walterf25 said:
The reason you get this error is because you removed the keystore file from the location you had it.
Just create another directory outside of your project files, for example you can create it in your C:\ drive, and copy the keystore file in that directory, don't forget to change the location of the keystore file under Tools\Private Sign Key in the IDE.

Regards,
Walter
Click to expand...
So are you saying keep keystore out of "project/files" but reference it from in the project IDE?
I thought referencing a file would then copy the file into project/files?
 
Upvote 0
Scotter

Scotter

Active Member
Licensed User
Aha! I re-read your message and figured there was only one reference needed, to do it from tools/private sign key in the IDE. As you said. THANKS!
 
Upvote 0
You must log in or register to reply here.

Similar Threads

fernando1987
  • Article
B4A Library GSheet Library (integrate google sheets into your B4X apps easily)
2
Replies
35
Views
13K
fernando1987
fernando1987
Erel
  • Article
Android Tutorial jarsigner error: java.security.SignatureException: private key algorithm is not compatible
Replies
2
Views
15K
Erel
Erel
Johan Schoeman
  • Article
B4A Library 1D and 2D Barcode Scanner with ZXING - another Barcode Scanner that is 100% embedded in B4A
2 3 4
Replies
75
Views
40K
Xfood
Xfood
Erel
  • Locked
  • Article
B4J Library [B4X] KVS2 / KeyValueStore 2 - Simple & Powerful Local Datastore
2 3 4
Replies
74
Views
57K
Erel
Erel
Erel
  • Article
Android Tutorial Embedding files in compiled libraries
2
Replies
39
Views
13K
Erel
Erel
Top