Sign Android APKs

• Sign a production app with a production certificate, not a debug certificate
• Make sure the certificate includes a sufficient validity period (i.e., won’t expire during the expected lifespan of the app)
• Google recommends that your certificate use at least 2048-bit encryption
• Also, restrict access to the keystore to only those people that absolutely require it

Here’s an example of a Keytool command that generates a private key:

• https://developer.android.com/tools/publishing/app-signing.html#cert

• CWE-326: Inadequate Encryption Strength