Skip to main content

Publish to Google Play Store

Do not enable automatic protection

Our Authenticator App uses Promon SHIELD® for app security. It provides robust protection against unauthorised access and app tampering. As a result, you do not need to enable the automatic protection service in the Google Play Console when publishing the app.

If automatic protection is enabled, it adds files to the app bundle that conflict with the Promon SHIELD® repackaging detection. This can cause app crashes and submission errors.

Overview

In this guide, you can learn about how you can publish your app whilst meeting the necessary security requirements for platforms such as Google Play. To do this, you need to undertake the following:

  • Generate an upload key and app signing key for Android. This is required for secure distribution.
  • Securely share the certificates with Signicat.
  • Re-sign the shielded app for final distribution to app stores.

How to publish your app

1. Create the signing key certificates

  1. Generate the upload key certificate using Android studio or the command line.
    • This is used to sign the app when uploading it to the Google Play Store.
    • If you already have an existing upload key certificate, you can use this.
    How do I do this?

    To learn how to do this, see the Generate an upload key and keystore section in the Android developer documentation.

  2. Generate the App signing key certificate:
    • The App signing key is automatically generated the first time you create a release in the Google Play Console.
    • You can either use a Google generated key, or an existing one.
  3. Download the certificates in the Google Play Console.
    How do I do this?

    In the Google Play Console, navigate to Setup, then App Integrity.

    To learn how to do this, see the Using Play App Signing section in the Android developer documentation.

2. Send the App signing certificate to Signicat

Next, you need to securely share the app signing certificate with Signicat for further configuration. To do this:

  1. In the Signicat Dashboard, navigate to the Contact Us service.
  2. Create a new support ticket, where you share the following files from Step 1:
    • deployment_cert.der
    • upload_cert.der

3. Embed, build, sign and distribute

Note

These steps are undertaken by Signicat. This means that they do not require any action from you.

  1. Once we have received your support ticket, we will embed the App Signing Certificate in the Shield configuration file.
  2. We will build the shielded app and sign it with a Signicat key.
  3. We will distribute the app to you by uploading it to our Nexus repository.

4. Re-sign the shielded app

Once you receive the shielded app, you must re-sign it with your own credentials. To do this for Android App Bundle (AAB):

  1. Remove the existing app signature by deleting the following files from the .aab Android App Bundle (AAB) archive:
    • META-INF/CERT.SF
    • META-INF/CERT.RSA
    • META-INF/MANIFEST.MF
    Example: Commands to remove the signatures
    zip -d bundle.aab 'META-INF/CERT.SF'
    zip -d bundle.aab 'META-INF/CERT.RSA'
    zip -d bundle.aab 'META-INF/MANIFEST.MF'
  2. Re-sign the .aab file with your upload key:
    Example: How to re-sign with your upload key
    apksigner sign --ks uploadkey-keystore.jks --ks-key-alias uploadkey-alias bundle.aab

5. Upload and configure the shielded app

Finally, you need to upload the shielded application (.aab) file to the Google Play Store using the Google Play Console.

Before you can submit your app for review, you must complete the required declarations in the App content section of the Play Console as described in the sections below:

Privacy policy

You must have a Privacy Policy URL.

  • Google Play Console requires a privacy policy that is owned by your business.
  • You cannot use Signicat's privacy policy in this section.
Data safety
  • You are required to fill out the Data safety form. To learn how to do this, see our Data safety form guide.
  • To learn about what what data is collected in the Authenticator App, see our Collected data page.
    Note

    Data collection may vary depending on your specific application configuration and enabled features.

Financial features

If your service provides financial features using the Authenticator App, then you may have to provide additional information. To learn about how to declare this, see the Google Play Console Help documentation.

On this page