Is It Ok To Use Same Keystore For Several Apps?

When we want to publish our app to play store, we need to sign our app with keystore which can be generated via something like this: keytool -genkey -v -keystore my-release-key.key

Solution 1:

I'd recommend using different keystores if they are totally unrelated apps. If you end up selling one of the apps, you can give away the corresponding keystore without compromising the security of your other apps.

Solution 2:

The Android developer site actually recommends signing all of your apps with the same certificate:

You should sign all of your apps with the same certificate throughout the expected lifespan of your applications. There are several reasons why you should do so:

• App upgrade: When the system is installing an update to an app, it compares the certificate(s) in the new version with those in the existing version. The system allows the update if the certificates match. If you sign the new version with a different certificate, you must assign a different package name to the application—in this case, the user installs the new version as a completely new application.

• App modularity: Android allows apps signed by the same certificate to run in the same process, if the applications so requests, so that the system treats them as a single application. In this way you can deploy your app in modules, and users can update each of the modules independently.

• Code/data sharing through permissions: Android provides signature-based permissions enforcement, so that an app can expose functionality to another app that is signed with a specified certificate. By signing multiple apps with the same certificate and using signature-based permissions checks, your apps can share code and data in a secure manner.

However, you should take this advice with a grain of salt. The first bullet point only applies to updated versions of a given app, not to multiple unrelated apps. The second and third bullet points are only relevant if you intend your different apps to work closely together as described.

Solution 3:

This completely is a matter of choice.

So, you have one keystore file and corresponding to that you have a password, another thing that you have is alias name and its corresponding pass , you can use this alias name as an identity for different apps. Just an advice to keep things separate.

From my experience , using less number of passwords is always good or/else you keep them written safe somewhere.

Solution 4:

It's OK, and expected sometimes. There are some cases when you even want to use the exact same key to sign different apps. Copying them all in different stores would be kind of silly, so you'd want to reference the same key in the same store for each app.