0

I've develop an app (thesis) to be used by 10 people (geologists). My question is, do i need to sign my app in release mode or just give them the apk file from bin through flash drive?

Ajay S
  • 48,003
  • 27
  • 91
  • 111
Jane07
  • 31
  • 7
  • What prevents you from just signing the apk? – donfuxx Mar 02 '14 at 15:47
  • I just don't know if it needs to be signed because they will just use it privately and they don't want to share it so.. no need to upload it in play store.. – Jane07 Mar 02 '14 at 15:55

3 Answers3

1

According to android developer guide you application must digitally signed to install or run Android system. This may help you in signing the apk.

Community
  • 1
  • 1
Mobi
  • 645
  • 3
  • 6
  • 14
1

An android phone will refuse to install an apk that is not signed at all, so the question is really between signing with a debug certificate vs. signing with a release one.

While you can distribute a debug signed apk outside of a marketplace, debug certificates tend to have short validity periods on the order of a year. This will, at minimum, cause problems with providing upgrades in the future, as after the certificate expires you would have to create a new one, and changing the certificate would require wiping out the private data of the old version on each phone.

(According to the docs, an already-installed app will continue to work after its certificate expires, but there could still be problems if a user gets a new device, etc)

There is also a security concern, in that (except on the version where it was broken) the run-as debug tool allows anyone with adb to execute programs as the userid of a debug-cerficate app. This would expose all the private data in the app, much like running on a rooted phone potentially does.

For these reasons, as well as general "that's not what it is for!" distribution channels tend to refuse to accept debug-signed apk's.

Chris Stratton
  • 39,853
  • 6
  • 84
  • 117
  • So the debug signed apk certificate is a year, while the release mode can take up to whatever years the user input in validity right? – Jane07 Mar 02 '14 at 18:05
  • 1
    While this is a technically accurate answer to the OP's question, it is not useful. The OP almost certainly does not know how to produce an "unsigned" APK. As noted below, it would be better to explain that his APK *IS* signed. It is signed with the dev key, and there is no particular reason not to distribute it. – G. Blake Meike Mar 02 '14 at 18:39
  • On the contrary, what I am explaining here are the reasons why distributing a debug-signed apk is generally viewed as *unwise*. Since that is the only *workable* alternative to distributing a release signed one, it answers the question both literally and practically. – Chris Stratton Mar 03 '14 at 02:12
0

You can distribute your APK after signing with debug certificate if you are not going to upload it on Google Play and only looking for testing purpose or distribute to client for just testing purpose.

APK won't install/update once your debug certificate expire and debug certificate validity is almost one year.

Upon installation, the Android SDK generates a “debug” signing certificate for you in a keystore called debug.keystore. A debug certificate is only valid for 365 days.

If you are looking to release updates it is good if you sign your application with own release certificate and in this you can set your expire validity.

Ajay S
  • 48,003
  • 27
  • 91
  • 111
  • 1
    Is there a way for them to get the updates automatically if I update the app or only if I upload it in marketplace? – Jane07 Mar 02 '14 at 16:02
  • You can do same as like market does but this wont be silent. For this you have to write the code in your android app, keep a version file on your server that will tell whether any update of your app, if there then download the updated app and ask user to install the app. For all this process you need a Web API also. If you are looking for this I recommend to you go for Google Play instead of managing the stuff which Google Play already does own – Ajay S Mar 02 '14 at 16:05
  • 1
    Untrue, even during development an android device will not let you install an **unsigned** apk. The question is about distributing a debug signed apk vs distributing a release signed one. – Chris Stratton Mar 02 '14 at 16:08
  • @ChrisStratton I have updated my answer see, OP actually does not need to upload the app on Google play as he wrote in the comment – Ajay S Mar 02 '14 at 16:11
  • You are still missing the point - even during development, you cannot install an **unsigned** app. The question concerns signing with a debug certificate vs. a release one - but in both cases, the app has to be signed or the phone itself will refuse it. – Chris Stratton Mar 02 '14 at 16:15
  • 1
    @ChrisStratton I don't think anyone is talking about an unsigned app. The discussion, here, is about an app signed with the dev key, or one signed with a private key. This answer is correct in saying that you can copy the apk from the bin folder and distribute it. – G. Blake Meike Mar 02 '14 at 16:50
  • @ChrisStratton I meant was for to sign the application with debug certificate, So I think there is no need of release certificate to install the APK in your device for development/testing purpose until you upload the app on the Google Play, I agreed on your points on these. Thanks for letting me know, Please let me know if still I am wrong anywhere. – Ajay S Mar 03 '14 at 14:03