The keystore and its password are used to sign the app that is then used by Android to identify the developer. If leaked, someone could update the concerned app on our behalf. Even if the person doesn’t have access to our playstore account, they still could publish it somewhere else.
We see everywhere, “never lose it”, “never leak it”, etc. But what if I did? I cannot find the required steps to follow when they both, the keystore and its password, leak so I can protect our users and our app.
Even if I publish the same app with an other appid, how can I protect my users that are still on the old one? Is there some best practice here?
Unfortunately there doesn’t seem to be a great way to migrate an existing application to a new signing key. This is probably for the best, since the best practice remains to a) have a strong key and b) keep your private release key as private as possible. I found this article outlining a feasible (but rather user un-friendly way) to migrate from a 1024 bit to a 4096 bit key, which seems to fit your use case. Since you still have a valid signing key for the compromised app, you can attempt to migrate them away from it via update.
- generate the new signing key, RSA 4096
- Update the first app, App1, with a mechanism for exporting private data, using TrustedIntents with a signature pin of the new key, RSA 4096, which Checkey will generate for you
- Create a new version of the app with a different package name, App2
- sign App2 with new key, RSA 4096
- Add method to App2 for receiving user data from App1, including a signature pin of the old signing key, RSA 1024, for use with TrustedIntents
- Publish App2 to the app stores
- From App1, prompt user to install App2
- runs and imports data from App1
- App2 prompts user to uninstall App1
Unfortunately, there is no easy answer to this problem. As mentioned above, the most general solution is to create a new app, tell users to switch, and migrate the data over.
However, on Lollipop+, there is another possible solution. You can use upgrade keys to change the signing key of an app in place, which saves you the trouble of creating a second app or doing the data migration. Unfortunately, Play currently has no support for this, so it’s only really an option for off-market apps, and users on Kitkat are out of luck.