“How and why Code Signing makes applications safe for download”

 

Reading this article should provide you answers to questions such as:

Will I get a virus on my device if I download this app from Google Play Store or App Store?

How do you know that the application is safe/secure?

______________________________________________________________________

Let's make it comprehensible from the very start. It is of crucial necessity that all the apps that are on App and Google Play store have a Signing Certificate thus making them protected and secured of any unauthorized third-party interference that could bring harm to the end-user. This makes Google Play Store and App Store very safe for downloading applications.

______________________________________________________________________

Code Signing is the process where every app is marked by its’ creator and cannot be manipulated with or changed by any third party intruder. Every app that eventually gets posted/uploaded on Google Play Store or App Store needs a “Code Signing Certificate”. This implies that every app that is posted on these platforms (Stores) has been through rigorous checks performed by Apple or Google, depending on the Store the apps are on.  

Due to corruptive viruses and malware that can be found on the internet, it is very important that users be able to trust applications published on the Internet. If you know that an application is signed by Microsoft Inc., instead of IWantToHackYou LLC., you’ll be much more likely to install it. There are two important ways that Code Signing increases trust:

  • Authentication. Verifying who the author of the software is.
  • Integrity. Verifying that the software has not been modified with since it was signed.

 

Google Play Store

Application signing allows developers to identify the author/maker of the application and to update their application without making the app more complex to use. Every application that is run on the Android platform must be signed by the developer. Applications that attempt to install without being signed will be rejected by either Google Play or the package installer on the Android device. These certificates have an important role in helping app-developers enhance the integrity of their applications for their end-users. Code signing certificates signalize to network providers and smartphone users that the app is safe to run and download.

As a platform that provides numerous applications to its users, Android deeply understands the responsibility it bears in terms of offering safe applications. We all know about the potential dangers associated with downloading applications over a mobile network. Even a single malware-infected app can have severe effects on the developers’ reputation and the operating system providing applications to the users.” Android.Dev.Supp.

But, an Android Code signing certificate shrink-wraps an application to ensure its users about the app’s authenticity. It validates the source of the application and makes sure it doesn’t get modified. Before distributing an app in its’ store, Android has skillfully designed its infrastructure, where they insiston code signing certificates before the app becomes public. Basically, every app on the Google Play Store will be ‘Code Signed’ and checked by Google teams of skilled professionals.

Links for a more detailed and technical explanation:

 

App Store

Code signing an app assures users that it is from a known source and the app hasn’t been modified since it was last signed. Before an app can integrate app services, be installed on a device, or be submitted to the App Store, it must be signed with a certificate issued by Apple.

One thing we need to clear up is the term Signing. Signing an app allows iOS to identify who signed the app and to verify that the app has not been modified since it has been signed. The Signing Identity consists of a public-private key pair that Apple creates for developers who made the app. Think about the public-key as a lock-only mechanism, so you need to know the private key to unwrap, unlock or decode (change) data again.

Links of sources for a more detailed and technical explanation:

 

Additional independent websites offering explanations and definitions regarding Signing Certificates for apps: