Last Updated on : 2024-09-09 09:59:28download
When you build an OEM app based on OEM app template v4.5 or later, to enhance the security of your app, you must enable Signature Protection for Android. Otherwise, your OEM app cannot be built. If your app is maliciously re-signed and repackaged, an app launch can be forged. Signature Protection for Android helps protect your app and users from this malicious attack.
Tuya authenticates the signature information of your Android apps. All network requests that are not included in the signature allowlist of your app will be rejected. To ensure normal access to your app, you must provide the latest signature information of your app on the Tuya Developer Platform. This way, the latest signature information can be added to the signature allowlist. This allows users to pass the authentication check and log in to your app as expected.
After you enable Signature Protection for Android on the Tuya Developer Platform, a signature file is automatically generated and added to the signature allowlist. Your app data security can be ensured.
The signature of an Android app can be modified in any of the following ways:
Manually re-sign the app
Reinforce the app
Configure the app signing key certificate on Google Play Console
Other methods
After an OEM app package is built, if you modify the signature in any of the preceding ways, you must enter the latest signature information on the Tuya Developer Platform. Otherwise, users will be unable to access your app.
Log in to the Tuya Developer Platform.
Go to App > OEM App > Required Setting, select your app to be managed, and then click the Certificate for Android tab.
Go to App Certificate for Android > Signature Protection for Android, and select the Enable option.
In any of the following conditions, to ensure normal access to your app, you must add the latest SHA-256 certificate fingerprint to the Tuya Developer Platform:
You have configured the app signing key certificate on Google Play Console. For more information, see How can I check the SHA-256 certificate fingerprint of my app that is launched on Google Play?
You have re-signed your app with the SHA-256 algorithm.
SHA-256 is a type of secure hash algorithm. The data encrypted with the SHA-256 algorithm is converted into a fixed-size 256-bit binary value. The output varies depending on the input. Even a small difference in the input will result in a significant change in the output. This enhances data security.
Go to App Certificate for Android > Signature Protection for Android, and click Add SHA256 Hash Value. In the field that appears, enter the SHA-256 hash value.
Click Save.
To ensure the security of your app information, do not provide Tuya with any file like a keystore to configure your certificate. Instead, you must copy and paste your SHA-256 certificate fingerprint from Google Play Console to Tuya Developer Platform > Add SHA-256 Hash Value.
Go to Google Play Console, select your app, choose Release > Setup > App integrity > App signing > App signing key certificate, and then find the field SHA-256 certificate fingerprint.
Use keytool to get your app signature information. Open your terminal and use keytool
to run the following command to check the digest for your app:
Get the digest for the APK signature.
keytool -printcert -jarfile xxx.apk
Get the digest for the keystore signature.
keytool -list -v -keystore xxx.keytore
Go to Tuya Developer Platform > App > App SDK > SDK Development.
Select your SDK-based app and go to the Get SDK tab.
In the Certificate section, click Add SHA256 Hash Value and enter your SHA-256 certificate fingerprint in the input box.
Click Save.
If the following error message is returned during the login to your app, you can troubleshoot the error in the following ways.
Is this page helpful?
YesFeedbackIs this page helpful?
YesFeedback