๐Ÿšจ Avoid Disaster: Safeguard Your Keystore Files - Lessons Learned the Hard Way!

This article is a part of my Failure Story series.

๐Ÿ› ๏ธ Back in 2017, I was working on an app which was used for a a very large conference held in Oman. The app purpose was to see the agenda, speakers, rooms for sessions etc. It was a conference of Chief Financial Officers of different companies, so it was quite a high-profile app.

๐Ÿ’ป First year, I built the app and deployed it in Google Play and everything went smooth and app worked like a charm. A year later in 2018, I was asked to update the app for new conference and rebrand it a bit too. At this point, I had already left the job, but client insisted for me. So I worked with the company as freelancer for about 2 months.

๐Ÿš€ I did the whole Android app updates, Gradle changes, code changes, Java to Kotlin and even Eclipse to Android Studio migration as well. It was somehow tricky work but I enjoyed it. And then the time came to publish the app on Google Play.

๐Ÿ”ฅ We realised that we don’t have the Keystore file anymore. Apparently we never pushed it on BitBucket (yes Github private was not free at that time). Luckily, I found it in my personal laptop. Just for a context, to update any Android app on Google Play, you have to use the same Keystore file which was used in signing the original app.

โŒ Although we had found the keystore file, the problem was nobody remembered the password and alias key. It took me 2 days to brute-force the keystore and find the password. It was the cell phone number of CTO of the company.

Best Practices for Keystore Files

๐Ÿ‘‰๐Ÿฝ Those two days of brute-forcing, stress, and guessing passwords taught me a few lessons which I never forgot in my life again.

๐Ÿ’พ ๐—•๐—ฎ๐—ฐ๐—ธ๐˜‚๐—ฝ ๐—ฌ๐—ผ๐˜‚๐—ฟ ๐—ž๐—ฒ๐˜†๐˜€๐˜๐—ผ๐—ฟ๐—ฒ ๐—™๐—ถ๐—น๐—ฒ๐˜€: Always keep them checked in the repository or at least at a shared office repository. So that you can access it anytime. Ideally, Keystore should be kept in separate places, but it should be available on some shared place of the team. A good approach is to create SHA key of keystore and add it in Github Secrets (if repository is hosted on Github) and directly push builds from Github Actions CI.

๐Ÿ”’ ๐—จ๐˜€๐—ฒ ๐—ฃ๐—ฎ๐˜€๐˜€๐˜„๐—ผ๐—ฟ๐—ฑ ๐— ๐—ฎ๐—ป๐—ฎ๐—ด๐—ฒ๐—บ๐—ฒ๐—ป๐˜ ๐—ง๐—ผ๐—ผ๐—น๐˜€: Always use some password management tool. I used to be a LastPass user from that point until I switched to BitWarden. It’s a fantastic tool and helps me a lot. From a company shared view, 1Password is also a great tool.

โœ… ๐—Ÿ๐—ฒ๐—ฎ๐—ฟ๐—ป ๐—™๐—ฟ๐—ผ๐—บ ๐— ๐—ถ๐˜€๐˜๐—ฎ๐—ธ๐—ฒ๐˜€: I learned it hard way but after that instance, Keystores and Passwords were never a problem for me when it came to Google Play. Alhamdulillah, I published around 100+ apps in my career and this mistake was never repeated again.

What if I really lost Keystore file?

I have no idea that what was the procedure to reset the keystore in 2018, But now, resetting it, is a straightforward. You can do it easily with the process below.

  1. Create new keystore
  2. Generate a PEM Certificate
  3. Submit the PEM certificate to Google
  4. Wait for 48 hours.
  5. Publish new build with new keystore

๐ŸŽฏ So, the next time you’re tempted to overlook the importance of backing up your Keystore file, remember my horrible failure. Trust me, it’s a lesson you don’t want to learn the hard way!

At the end, please Subscribe to my newsletter #Time with Wajahat to learn learn about the life experiences, lessons, career advices, technology & programming tips manually handcrafted and curated by Wajahat Karim.

If you liked this article, you can read my new articles below:

profile card
Wajahat Karim
๐ŸŒ Making the world a better place, one app at a time.
๐Ÿ”ฅ Google Developer Expert (GDE) in Androidย . ๐Ÿ“ฑ Professional Android Developer with ~10 years experience. ๐Ÿ’ป Creator of various Open Source libraries on Androidย . ๐Ÿ“ Author of two technical books and 100+ articles on Android. ๐ŸŽค A passionate Public Speaker giving talks all over the world.
Author's picture

Wajahat Karim

๐Ÿ”ฅ Google Dev Expert (GDE) in Androidย .
๐Ÿ“ฑ Android Dev. ๐Ÿ’ป Open Source Contributorย . ๐Ÿ“ Technical Writerย . ๐ŸŽค Public Speaker

Senior Android Developer

Karachi, Pakistan