Closed bugwrangler closed 7 years ago
I guess the main point is that once you make a release build it is signed with the actual key of the developer/company to verify the integrity of the creator of the App. If for example an APK would be shipped as debug build the key used to sign the App was coming from the IDE (Android Studio) that was used during development. Nevertheless a debug build cannot be distributed via Play Store, so creating a release build is of course mandatory if an App should be published in an official App store. The developer/company needs to be aware of this requirement to think about how to maintain his keys especially if he creates more Apps, as the signing of different Apps with the same keys also allows interaction between the Apps. Using a release build in Android also enforces pro-guard rules and optimises the APK.
See also: https://developer.android.com/studio/publish/preparing.html
I feel technical term "release build" doesn't denote factual meaning. pls. look up my pull request. We should add one/two other requirements w.r.t release build concept including key used to sign build and User / enterprise certificate used for release build etc.
What do you think of this: https://github.com/OWASP/owasp-masvs/pull/61#discussion-diff-92522756R19
Align, thx!
Could you pls. elaborate this requirement ?