AnDevCon 2012: New Code Signing Services to Protect Your App
Author: Dean Coclin, Senior Director of Business Development at Symantec
Today, I had the opportunity to meet over a hundred talented developers at AnDevCon 2012 during my session on “Challenges in Code Signing and Key Security."
Android has quickly become one of the most popular operating systems for mobile devices. It’s amazing how this ecosystem has changed. Only 5 years ago, Symbian was the #1 smartphone OS in the world and now its market share has dwindled down to a much smaller number. Five years ago we were also carrying around our Palm Treo devices, a company that no longer even exists and their WebOS has been literally thrown away by HP, their new parent.
It’s been an interesting month in the Bay Area as tech giants Oracle and Google battled each other in court over whether Android contains unlicensed portions of Java™. But while the rendered decision still leaves unanswered questions, one thing is clear: Android continues to attract an enormous amount of developers to its ecosystem. Why? The OS is free, which means OEMs can sell their devices to carriers for less which can in turn provide them to their customers at a lower cost. This has propelled Android to one of the top mobile OS’ in the world.
Hence developers want to use this channel to provide valuable applications to Android phone customers and make more money!
In an attempt to provide some security for applications, Android enforces a code signing model which means all applications must be digitally signed before they can be uploaded to the Google Play store. The requirements say that the developer must create a key valid for 25 years and store that key securely in case they need to sign an update to the original application later. If they sign the updated app with a different key (because original was lost), the former version of that app will not be replaced on the device, rather, the user will now have 2 versions of the same app.
So the developer in essence has to create this long lived key (or keys, one for each app), keep it someplace where they won’t forget where it is and protect it with a password that they also must not forget. And let’s remember that many large corporations, particularly financial institutions, develop code for Android. How can they ensure that their developers keep those keys secure and not take them when they leave the company? Also, how do they know what has been signed with what keys? This quickly becomes a problem when it comes time for an internal audit.
After talking with many customer groups, Symantec has created a solution to the above mentioned issues. The Symantec Code Signing Portal for Android allows developers to upload applications to a secure cloud where they will be signed by a key with a 25 year lifetime. The key will identify the developer and chain to a Symantec root certificate. Symantec will guard that key so that the next time a developer needs to sign the next version of that app, they can just upload it to the portal. Once the app is signed, it is returned to the developer so it be sent to Google Play’s app store. No worrying about lost keys, and with our convenient reports, and management can keep track of who signs what app.
Individual developers can now relax and not worry about where they kept their key. I can hear the sigh of relief when Ms. Developer creates version 2 of her app and realizes that she doesn’t need to remember where she put that key. All she has to do is upload the app to the portal and request it be signed with the same key as version 1. Symantec takes care of the rest.
If you would like to learn more about this new service, please go to: http://www.symantec.com/verisign/code-signing/android