Your app contains embedded private keys or keystore files

Hi all,

Did anyone receive email notification from Google like this before? It mention about my private keys is not well protected. I am not sure what it means and I did provide strong password for the keystone.

I am using Corona SDK to develop this app for trial purpose. It might be the reason that trigger the warning email. I read other forum Basic4Android framework also has one user having this issue.

This is a notification that your app(xxx), contains one or more private keys or keystore files embedded in its published apk as listed at the end of this email. These embedded items can be accessed by third parties, which can raise a variety of different security concerns depending on what the key is used for. For example, if the private key is the signing key for your application, a third party could sign and distribute apps that replace your authentic apps or corrupt them. Such a party could also sign and distribute apps under your identity.

As a general security practice, we strongly recommend against embedding private keys and keystore files in apps, even if the keys are password protected or obfuscated. The most effective way to protect your private key and keystore files is not to circulate them.

Please remove your private keys and keystore files from your app at your earliest convenience. Each app is different, but if you aren’t sure how to locate the keys and keystore files in your app, you can try looking for files with the “keystore” file extension and grepping for “PRIVATE KEY”. For more information about keeping your key secure, please see https://developer.android.com/tools/publishing/app-signing.html.

You have a responsibility as a developer to secure your private key properly, at all times. Please note, while it’s unclear whether these specific issues affect your application, applications with vulnerabilities that expose users to risk of compromise may be considered “dangerous products” and subject to removal from Google Play.

I think maybe you embedded your keystore inside the apk file.

Yes. I guess CoronaSDK is causing the issue.

you sure your private key is not in the same directory as the rest of your project code? if so, that is your problem, not corona sdk

Nope. There is no physical folder in CoronaSDK. Google mention the private key is in folder asset but I cannot control which folder they will put the private key.

All my code is sent to their server in order to publish apk. After that their server will compile the code and return a complete APK file to me. I have to sign the APK file manually using command prompt keytool. Maybe because I am using existing keystore from eclipse project?

Anyway, I didn’t use CoronaSDK already. Their support in Android also quite bad because many devices cannot run properly. They are more focus on iOS enhancement than Android.