8

Given that I want to support all android devices which are, say, Froyo or later, what's the most secure signing algorithm I can use? I do not need to place my APK in Android Market.

I know, for instance, that some phones support sha1withrsa but not sha256withrsa (Link).

Roland
  • 127,288
  • 10
  • 191
  • 288
user1802936
  • 81
  • 1
  • 2

1 Answers1

1

Please refer to the android dev guide on signing. The current default method is SHA1withRSA:

$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name

while a few years ago the signing method recommended was MD5withRSA.

[...] what's the most secure signing algorithm I can use?

Are you concerned with some specific attack that makes you think that SHA1withRSA or SHA256withRSA would be more secure? I can't foresee any scenario.

mrucci
  • 4,342
  • 3
  • 33
  • 35
  • that doesn't seem to be the current (Jan 2014) advice in the http://developer.android.com/tools/publishing/app-signing.html doc. But I can attest that only MD5withRSA seems to work on the Sony Xperia E phone (Android 4.1) that I have in front of me. – jrg Jan 09 '14 at 19:28
  • They use `SHA1withRSA` as default/recommended method as of May 2015. – kravietz May 04 '15 at 23:11