downloading private apps on google play Answers to common questions about Play App Signing. Android apps are cryptographically signed by the developer. This allows the package manager on the user’s device to verify that every app update comes from the same source and that it hasn’t been tampered with. Google Play also enforces this signature check when you upload your APK to the Google Play Console, so that even if someone had your login credentials it would be impossible to send a malicious update without also having access to your private key. Historically, developers were responsible for generating their own private keys and keeping them safe throughout the application’s lifetime. While this offered a lot of flexibility, it was also prone to mistakes: generating weak keys, accidentally checking in your private key to a public repository or even losing it altogether are just a few common ones that happen routinely even to seasoned developers. Nowadays developers have a compelling alternative to managing keys themselves: Play App Signing , in which the upload key (the one you use to upload your artifacts to Google Play) and the app signing key (the one used to sign APKs distributed to devices) can be separate, and the app signing key is stored securely on Google’s infrastructure. Even though many other popular platforms treat distribution keys this way, for many developers it’s a departure from the previous Android signing model, and some developers may feel like they’re giving up too much control over their apps. That’s why, I want to dispel some common misconceptions about Play App Signing, as well as give guidance on specific scenarios that you might encounter. This advice is based on questions our Developer Relations team has heard from developers at conferences, in online forums and our 1:1 chats. Let’s start with the most compelling reason to switch to Play App Signing: 1. I’ve lost the key used for signing release artifacts that I upload to Google Play. What are my options? Without Play App Signing : Without the app signing key, there’s nothing you or Google can do to continue updating your app due to security protections built into Android. Your only option is to create a new store listing with a new package name and start from scratch. With Play App Signing : You can request a new upload key. Play will be able to continue signing your app updates with the app signing key, which is securely stored by Google. If I were to name one reason that speaks for the adoption of app signing, it would be the one above. But before we go further and talk about specific scenarios that app signing can help you remediate (there are more!), let’s pause to answer a meta-question first: 2. Why does Google want developers to switch to Play App Signing? Google Play’s first priority is to build a trusted, safe, and secure platform for billions of users and millions of developers for many years into the future. The sustainability and success of the ecosystem depends on this. Most developers cannot match the level of security that Google can offer. The new app model, where Play ingests publishing artifacts and generates signed artifacts is designed to minimize the surfaces where the signing keys could be exposed. It is not only secure, but also more efficient, and future-looking with benefits for end-users and developers alike. For example, a number of apps currently on the Play Store still haven’t adopted the more secure v2 signing scheme. Once enrolled into Play App Signing, apps benefit from the new protections and future enhancements automatically, without developer work required. And finally, separating the publishing format (using Android App Bundles) from the serving format (split APKs) unlocks benefits for developers and users alike: from increased security, to optimization, reduced complexity and fragmentation. In order to do this, however, Play must have the ability to sign the serving artifacts. Some examples of features available right now are automatic size optimizations for app delivery, as well as new customizable delivery options for modules in your app. More importantly, it gives us a way to evolve and improve the delivery mechanisms in the future, while ensuring the trust and safety of the distributed artifacts. Even though we continue to improve our serving stack, we don’t modify and distribute your application code without your knowledge and approval, and the new optimizations Play performs are available for your inspection in the open source bundletool . Later in this FAQ I discuss some of the metadata (metadata which doesn’t impact how your app works) differences you might see between artifacts downloaded from Play and generated locally. 3. My app signing key was generated many years ago and I’m afraid its cryptographic strength no longer meets today’s standards or I believe that my app signing key has leaked. What can I do to upgrade? Without Play App Signing : As previously mentioned, you cannot simply switch to a new key, as that would mean your existing users would not be able to get app updates. You either have to continue using your existing key and risk the safety of your users’ data or start a new app entry from scratch. With Play App Signing: If you are using a weak key or your key was compromised, you can upgrade your app signing key for new installs. This works by delivering APKs signed with your legacy key to existing users when they update the app, while fresh app installations get APKs signed with the upgraded, secure key. Consider enabling app signing now and switching to using a separate upload key as soon as possible, reducing the likelihood of ever compromising the app signing key. The current process of upgrading to a new key is not instantaneous and if the app signing key leaks, your existing users will be at risk until they reinstall the app or move to a new device. Please note that the current key upgrade process does not take advantage of the key rotation feature introduced in Android 9 (Pie) and above. We are currently investigating support for key rotation using app signing v3 for devices on these OS versions and will let the developer community know once it’s ready in a separate announcement. 4. The upload key I used for signing my artifacts was stolen. What are my options? Without Play App Signing : There is no concept of a separate “upload key”, so if your release signing key leaks, you could be in big trouble: someone could create malicious or unauthorized versions of your app that would be indistinguishable (and updateable!) from your original APKs. Of course, Google account protection applies to Google Play Console access (and we recommend developers enable 2-step verification), so the attacker would still have to find a way to trick a user into sideloading such a modified APK. Nevertheless, your app’s security is weakened. Refer to the question 3. above about a compromised app signing key to see what kind of remediations are available, including key upgrade for new installs. With Play App Signing : If your upload key is separate from your app signing key (which I cannot recommend highly enough), and the upload key is the one that leaked, that means your users’ data is safe — the upload key is not enough for an attacker to be able to impersonate APKs signed with the app signing key. Simply request a new upload key. If you continued to use your app signing key for uploading to Play when you first enabled app signing, and that app signing key leaked, you are in a bit of a worse situation, but app signing can still remedy the problem. Follow the advice on how to upgrade your key for new installs. 5. I enabled Play App Signing for my app, but I changed my mind and would like to download the app signing key that is stored on Google’s infrastructure. It’s not possible for you, or anyone else on your developer account, to download and save the private key for your app that’s stored on Google’s secure infrastructure. This is to ensure the protection of your app signing key. If you foresee a situation in which you will need continued access to your app signing key, you should do the following when enabling app signing: Do not select the option for Google Play to generate the app signing key for you. Generate your signing key locally on your machine instead. Securely transfer your key to Google Play, and do not delete it from your machine. Keep the key secure , ensuring it doesn’t leak to third parties. Make sure to create and test backups of your key regularly, as you will not be able to download it from Google in case you lose it. These steps are explained in the documentation. Look for the instructions on how to “ opt in for an existing app ” to see how to encrypt your signing key to upload it to the Google Play Console from Android Studio or the command line. If you are absolutely sure you will not need continued access to your private app signing key, we recommend that you either let Play generate your key (for new apps) or that you delete your copy after transferring it to Play, and switch to using an upload key. The upload key can be reset, and it doesn’t compromise your users’ security in case it leaks. 6.