1

I fail to find an answer on google and I am concerned about my keyPassword, storePassword, and other information which is clearly visible on my build.gradle(Module:app).

I have gone throught the following documentation link but wasn't convinced:

https://developer.android.com/studio/publish/app-signing.html

It states:

Because the debug certificate is created by the build tools and is insecure by design, most app stores (including the Google Play Store) will not accept an APK signed with a debug certificate for publishing.

Does this mean anyone who finds my debug app, which is installed directly from Android Studio, will be able to find my signing information such as keyPassword and storePassword?

I appreciate any thoughts on this matter.

Darush
  • 11,403
  • 9
  • 62
  • 60

1 Answers1

3

No, the keyPassword and storePassword are not included in the final build artifacts.

They belong to the build script which isn't part of the apps source code.

A debug certificate is insecure by design because it's auto generated. If you include your own signing configuration (for a release build) and build your app in debug mode the build process wont even use the custom release signing configuration.

This might be helpful in understanding the difference between build code and source code: What is Gradle in Android Studio?

TLDR: No, the key and store passwords do never end up in the final package.

Community
  • 1
  • 1
Rolf ツ
  • 8,611
  • 6
  • 47
  • 72