Enable Signature Protection for Android

When you build an OEM app based on OEM app template v4.5 or later, to enhance the security of your app, you must enable Signature Protection for Android. Otherwise, your OEM app cannot be built. If your app is maliciously re-signed and repackaged, an app launch can be forged. Signature Protection for Android helps protect your app and users from this malicious attack.

Background information

Tuya authenticates the signature information of your Android apps. All network requests that are not included in the signature allowlist of your app will be rejected. To ensure normal access to your app, you must provide the latest signature information of your app on the Tuya IoT Development Platform. This way, the latest signature information can be added to the signature allowlist. This allows users to pass the authentication check and log in to your app as expected.

After you enable Signature Protection for Android on the Tuya IoT Development Platform, a signature file is automatically generated and added to the allowlist. Your app data security can be ensured.

The signature of an Android app can be modified in any of the following ways:

• Manually re-sign the app

• Reinforce the app

• Configure the app signing key certificate on Google Play Console

• Other methods

  After an OEM app package is built, if you modify the signature in any of the preceding ways, you must enter the latest signature information on the Tuya IoT Development Platform. Otherwise, users will be unable to access your app.

Step 1: Enable Signature Protection for Android

1. Log in to the Tuya IoT Development Platform.

2. Go to App > OEM App > Required Setting, select your app to be managed, and then click the Certificate for Android tab.

3. Go to App Certificate for Android > Signature Protection for Android, and select the Enable option.

   

Step 2: Add SHA-256 hash value

SHA-256 is a type of secure hash algorithm. The data encrypted with the SHA-256 algorithm is converted into a fixed-size 256-bit binary value. The output varies depending on the input. Even a small difference in the input will result in a significant change in the output. This enhances data security.

In any of the following conditions, to ensure normal access to your app, you must add the latest SHA-256 certificate fingerprint to the Tuya IoT Development Platform:

• You have configured the app signing key certificate on Google Play Console.
• You have re-signed your app with the SHA-256 algorithm.

FAQs

How can I check the SHA-256 certificate fingerprint of my app that is launched on Google Play?

Go to Google Play Console, select your app, choose Release > Setup > App integrity > App signing > App signing key certificate, and then find the field SHA-256 certificate fingerprint.

How can I check the SHA-256 digest for my Android app?

Use keytool to get your app signature information. Open your terminal and use keytool to run the following command to check the digest for your app:

1. Get the digest for the APK signature.

   	keytool -printcert -jarfile xxx.apk
   

   

2. Get the digest for the keystore signature.

   	keytool -list -v -keystore xxx.keytore
   

   

How can I add SHA-256 hash values for my app that is developed based on Tuya’s App SDK?

1. Go to Tuya IoT Development Platform > App > App SDK > SDK Development.

2. Select your SDK-based app and go to the Get SDK tab.

3. In the Certificate section, click Add SHA256 Hash Value and enter your SHA-256 certificate fingerprint in the input box.

4. Click Save.

   

Troubleshoot an error

If the following error message is returned during the login to your app, you can troubleshoot the error in the following ways.

For OEM app

1. Check whether the app package is renamed.
2. Check whether the SHA-256 hash values are configured.

For App SDK

1. Check whether the app package is renamed.
2. Check whether the SHA-256 hash values are configured.
3. Check whether the configured App Key and App Secret are correct.
4. Check whether the App SDK has the security image configured.