• Protect the app's APK using signing
• Use Android's Keystore to generate and store cryptographic keys
• Use them to sign an app
• Generate HMAC to sign a message
• Verify HMAC to check message integrity

If you want to install an application on Android, the apk must be digitally signed with a certificate. For example, when you test your application on the emulator, Android Studio signs the apk with a debug certificate. The first time when you run or debug a project in Android Studio, a debug keystore and certificate is automatically created using the Android SDK tools in $HOME/.android/debug.keystore. Also the keystore is initialized and the key password are set.

As a security measure the debug certificate needs to be used only for testing and for debug builds. This certificate is not secure for using on app stores.

For later runs/debugs Android Studio automatically stores the debug signing configuration so that we do not need to enter it every time we launch the app. The signing configuration contains the keystore location $HOME/.android/debug.keystore, keystore password, key name and key password. This debug signing configuration used at run/debug is not available for editing. You can create a signing config for your release builds.

Steps for generating and uploading key and keystore:

1. Go to Build > Build > Generate Signed Bundle/APK
2. Select APK
3. Under Key store path choose Create new
4. Complete the fields and then continue with the signing steps below

Sign app with key:

1. Build → Generate Signed Bundle/APK
2. In the Generate Signed Bundle/APK choose APK
3. The app module should be selected if not choose it or choose a module from the drop down
4. Enter the path to your keystore, the alias for the key and the passwords for keystore and key
5. Enter destination folder for the signed app, enter the release build type, choose the flavor
6. Choose the APK Signature version your app to support
7. Finish

For more details on application signing and distribution check App Signing

In this task will see how Android applications are signed:

• Create a new application (with an empty activity).
• Using the steps presented in the lab create a key and keystore and generate the signed APK of the application.
• Use adb tool to install the APK.

In this task will create a signing configuration for different build types.

• Create a release signing configuration with the data from Task 1. Auto sign
• Build a release version when pressing Run. Check Build Variants view from Android Studio.
• Create a release signing configuration using a new key.
• Sign the application wth the new release config and use adb to install the signed apk. You should install the new signed apk on top of the one from Task 1. What happens with the application?

Add an activity to the project. Include an EditText and a Button in the first activity. When the user types a text and presses the button, it will send the text to the second activity through an intent (putExtra). In the second activity, get the message from the Intent and display it in the TextView.

In the first activity generate a symmetric key using KeyGenerator for HmacSha256 algorithm. Save this key in a Singleton (that can be accessed from both activities). Then generate the HMAC of the text introduced by the user (using Hmac with HmacSha256 algorithm) and send the HMAC along with the initial message (through the Intent). In the second activity, obtain the HMAC from the Intent, obtain the Singleton, get the symmetric key and recompute the HMAC. If the HMAC is valid (equal with the recomputed one), Display the message “Data is unmodified”.

Hint: Send data and HMAC as byte arrays in the Intent.
Hint: Use Arrays.equals() for byte arrays comparison.