🚨 Avoid Disaster: Safeguard Your Keystore Files

This article is a part of my Failure Story series.

🛠️ Back in 2017, I was working on an app which was used for a a very large conference held in Oman. The app purpose was to see the agenda, speakers, rooms for sessions etc. It was a conference of Chief Financial Officers of different companies, so it was quite a high-profile app.

💻 First year, I built the app and deployed it in Google Play and everything went smooth and app worked like a charm. A year later in 2018, I was asked to update the app for new conference and rebrand it a bit too. At this point, I had already left the job, but client insisted for me. So I worked with the company as freelancer for about 2 months.

🚀 I did the whole Android app updates, Gradle changes, code changes, Java to Kotlin and even Eclipse to Android Studio migration as well. It was somehow tricky work but I enjoyed it. And then the time came to publish the app on Google Play.

🔥 We realised that we don’t have the Keystore file anymore. Apparently we never pushed it on BitBucket (yes Github private was not free at that time). Luckily, I found it in my personal laptop. Just for a context, to update any Android app on Google Play, you have to use the same Keystore file which was used in signing the original app.

❌ Although we had found the keystore file, the problem was nobody remembered the password and alias key. It took me 2 days to brute-force the keystore and find the password. It was the cell phone number of CTO of the company.

Best Practices for Keystore Files

👉🏽 Those two days of brute-forcing, stress, and guessing passwords taught me a few lessons which I never forgot in my life again.

💾 𝗕𝗮𝗰𝗸𝘂𝗽 𝗬𝗼𝘂𝗿 𝗞𝗲𝘆𝘀𝘁𝗼𝗿𝗲 𝗙𝗶𝗹𝗲𝘀: Always keep them checked in the repository or at least at a shared office repository. So that you can access it anytime. Ideally, Keystore should be kept in separate places, but it should be available on some shared place of the team. A good approach is to create SHA key of keystore and add it in Github Secrets (if repository is hosted on Github) and directly push builds from Github Actions CI.

🔒 𝗨𝘀𝗲 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗧𝗼𝗼𝗹𝘀: Always use some password management tool. I used to be a LastPass user from that point until I switched to BitWarden. It’s a fantastic tool and helps me a lot. From a company shared view, 1Password is also a great tool.

✅ 𝗟𝗲𝗮𝗿𝗻 𝗙𝗿𝗼𝗺 𝗠𝗶𝘀𝘁𝗮𝗸𝗲𝘀: I learned it hard way but after that instance, Keystores and Passwords were never a problem for me when it came to Google Play. Alhamdulillah, I published around 100+ apps in my career and this mistake was never repeated again.

What if I really lost Keystore file?

I have no idea that what was the procedure to reset the keystore in 2018, But now, resetting it, is a straightforward. You can do it easily with the process below.

Create new keystore
Generate a PEM Certificate
Submit the PEM certificate to Google
Wait for 48 hours.
Publish new build with new keystore

🎯 So, the next time you’re tempted to overlook the importance of backing up your Keystore file, remember my horrible failure. Trust me, it’s a lesson you don’t want to learn the hard way!

At the end, please Subscribe to my newsletter #Time with Wajahat to learn learn about the life experiences, lessons, career advices, technology & programming tips manually handcrafted and curated by Wajahat Karim.