๐จ Avoid Disaster: Safeguard Your Keystore Files - Lessons Learned the Hard Way!
This article is a part of my Failure Story series.
๐ ๏ธ Back in 2017, I was working on an app which was used for a a very large conference held in Oman. The app purpose was to see the agenda, speakers, rooms for sessions etc. It was a conference of Chief Financial Officers of different companies, so it was quite a high-profile app.
๐ป First year, I built the app and deployed it in Google Play and everything went smooth and app worked like a charm. A year later in 2018, I was asked to update the app for new conference and rebrand it a bit too. At this point, I had already left the job, but client insisted for me. So I worked with the company as freelancer for about 2 months.
๐ I did the whole Android app updates, Gradle changes, code changes, Java to Kotlin and even Eclipse to Android Studio migration as well. It was somehow tricky work but I enjoyed it. And then the time came to publish the app on Google Play.
๐ฅ We realised that we don’t have the Keystore file anymore. Apparently we never pushed it on BitBucket (yes Github private was not free at that time). Luckily, I found it in my personal laptop. Just for a context, to update any Android app on Google Play, you have to use the same Keystore file which was used in signing the original app.
โ Although we had found the keystore file, the problem was nobody remembered the password and alias key. It took me 2 days to brute-force the keystore and find the password. It was the cell phone number of CTO of the company.
Best Practices for Keystore Files
๐๐ฝ Those two days of brute-forcing, stress, and guessing passwords taught me a few lessons which I never forgot in my life again.
๐พ ๐๐ฎ๐ฐ๐ธ๐๐ฝ ๐ฌ๐ผ๐๐ฟ ๐๐ฒ๐๐๐๐ผ๐ฟ๐ฒ ๐๐ถ๐น๐ฒ๐: Always keep them checked in the repository or at least at a shared office repository. So that you can access it anytime. Ideally, Keystore should be kept in separate places, but it should be available on some shared place of the team. A good approach is to create SHA key of keystore and add it in Github Secrets (if repository is hosted on Github) and directly push builds from Github Actions CI.
๐ ๐จ๐๐ฒ ๐ฃ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ ๐ ๐ฎ๐ป๐ฎ๐ด๐ฒ๐บ๐ฒ๐ป๐ ๐ง๐ผ๐ผ๐น๐: Always use some password management tool. I used to be a LastPass user from that point until I switched to BitWarden. It’s a fantastic tool and helps me a lot. From a company shared view, 1Password is also a great tool.
โ ๐๐ฒ๐ฎ๐ฟ๐ป ๐๐ฟ๐ผ๐บ ๐ ๐ถ๐๐๐ฎ๐ธ๐ฒ๐: I learned it hard way but after that instance, Keystores and Passwords were never a problem for me when it came to Google Play. Alhamdulillah, I published around 100+ apps in my career and this mistake was never repeated again.
What if I really lost Keystore file?
I have no idea that what was the procedure to reset the keystore in 2018, But now, resetting it, is a straightforward. You can do it easily with the process below.
- Create new keystore
- Generate a PEM Certificate
- Submit the PEM certificate to Google
- Wait for 48 hours.
- Publish new build with new keystore
๐ฏ So, the next time you’re tempted to overlook the importance of backing up your Keystore file, remember my horrible failure. Trust me, it’s a lesson you don’t want to learn the hard way!
At the end, please Subscribe to my newsletter #Time with Wajahat to learn learn about the life experiences, lessons, career advices, technology & programming tips manually handcrafted and curated by Wajahat Karim.