24
Views
4
Comments
Solved
Signing Android application with v2 signature scheme
Question

Hello everyone,


I have a mobile application built in Outsystems and an Android version generated and signed following the instructions here.

During the SAST testing, one of the findings in the report indicates that the android signature scheme used to sign the app is of type v1, where as the minimum required is v2. Is there a way I can re-sign the app using the v2 signature scheme? After a bit of reading, it seems like after signing the app with v1 signature, android documentation recommends signing it with v2 again. If I go this route, will the updates I make to the app be deployed to client mobiles?


Please let me know.

Thanks.


Staff
Rank: #32784
Solution

Hello Junaid,

From what we evaluated, apps built with MABS 5 and 6 are signed with both the v1 and v2 signature schemes. The v1 signature is required to install apps in devices that have older versions of Android (Android 6 and prior). Scheme v2 is recommended for devices with Android 7 or newer.

This situation is on our radar for MABS 7 development, but there should be no issues with MABS 5 and 6 builds. MABS 7 will be released with the required signature schemes.

You can check the used schemes by following the first bullet of this answer: https://stackoverflow.com/a/38990267. If you see any warnings being printed it's due to the v1 signature that will only be used in older devices (with no other alternative).

Best regards,
Nuno Azevedo

mvp_badge
MVP
Rank: #2

Hi Junaid,

I'll ask around. This might be fixed with the new MABS version, but I'm not sure.

Staff
Rank: #32784
Solution

Hello Junaid,

From what we evaluated, apps built with MABS 5 and 6 are signed with both the v1 and v2 signature schemes. The v1 signature is required to install apps in devices that have older versions of Android (Android 6 and prior). Scheme v2 is recommended for devices with Android 7 or newer.

This situation is on our radar for MABS 7 development, but there should be no issues with MABS 5 and 6 builds. MABS 7 will be released with the required signature schemes.

You can check the used schemes by following the first bullet of this answer: https://stackoverflow.com/a/38990267. If you see any warnings being printed it's due to the v1 signature that will only be used in older devices (with no other alternative).

Best regards,
Nuno Azevedo