Problems/Caveats with Self-Signed Certificates for Android Apps?

0
votes

The book I am using to learn Android app development says:

To install an Android application onto a device, you first need to sign the Android package (.pak file) with the digital signature of a certificate. The certificate, however, can be self-signed -- you do not need to purchase a certificate from a certificate authority such as VeriSign.

OK, so I understand that to install the app onto a device, any digital signature will do (The ADT plugin for Eclipse is doing this automatically for me already). But, it is unclear to me whether:

  1. Will a self-signed certificate suffice for the Android Market?
  2. Are there any problems or caveats down the road if I decide to release an app with a self-signed certificate?

This is the first time ever for me to start the process of releasing an app to the Android Market and your experienced answers would be most appreciated.

Thanks.

1
androiddigital-signaturegoogle-playdigital-certificate

1 Answers

2
votes
  1. Yes.
  2. No.

All the cert does is validate WHO you are. Nothing else.

EDIT: actually, it doesn't even validate that. All it validates is that this app was made by the entity with the private key for this certificate. It generates an identity trail: no other entity can claim to be the same entity without access to the same private key.

In addition, some of the process/file/user permissions are tied up in the use of the same certificate (for example I have multiple apps signed with the same certificate and they can open each other's databases even though each app is separately installed).

EDIT: No relationship at all, as the self signed certificate issues are based on the browser root certificate store. In browsers they are trying to do explicit trust (i.e. the entity that is using this certificate is verified by the a known root certificate authority as the entity the certificate identifies). With self-signed certificates the cert chain doesn't end in a known root so ANYONE could have issued it and lied, while with Verisign/Thawte/Godaddy/Other the argument being made is that the owner of the root certificate in some way verified that the entity it handed the cert to is actually authorized to identify themselves as that entity.