cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

Using Dynatrace gradle plugin and Signing

yair_mashmor
Guide

Hi all,

We are instrumenting a native android mobile app using the Dynatrace Gradle plugin (version 7.1.9.2123).

All is going well, but the instrumented apk is not getting the Signing definitions that are in android studio.

I read in the documentation that the Dynatrace gradle plugin gets the Signing info from the build.gradle itself (https://www.dynatrace.com/support/doc/appmon/short...), but we are not using gradle for signing as i mention, but the android studio signing wizard.

We don't want to add the Signing info to the gradle build in order to solve this, since it poses a security risk (anyone opening the apk can view that info).

How can the Dynatrace gradle plugin get the signing information from android studio itself?

Thank you,

Yair


6 REPLIES 6

Did you tried external auto-instrumentator?


Yes, but we want to work in a more streamlined way, which the gradle plugin allows.


Thomas_Wirth1
Dynatrace Pro
Dynatrace Pro

The Dynatrace Gradle plugin should be able to correctly sign the APK, when you use the AKP signing wizard from Android Studio. In your case the signing information is not stored in the build.gradle file, but the information is passed to the Android Gradle plugin, that build and signs the APK.The Dynatrace Gradle plugin receives the signing information from the Android Gradle plugin. The only difference between the wizard and the "build.gradle approach" should be the (default) output folder.

The Dyntrace Gradle plugin always replaced the uninstrumented APK with the instrumented (and signed) APK. In the wizard you can determine the output folder and therefore the instrumented and signed APK is stored in the specified output folder. I assume that the default recommendation of the wizard is:

<project>/<module>/<variant>/<app_name>.apk

You have to ignore the output of the Dynatrace Gradle plugin, because it only shows the output folder of the internal debug APKs. These APKs are only relevant, when you start the auto-instrumentor via the command-line and not with the Dynatrace Gradle plugin. We will improve the user-experience for the Dynatrace Gradle plugin, so it is less confusing.

Note:

We don't want to add the Signing info to the gradle build in order to 
solve this, since it poses a security risk (anyone opening the apk can
view that info).

That's not true. There is no difference between the signing wizard and the "build.gradle approach". The passwords and keystore files will not be stored in the APK file. The only problem could be that you store the source code in a public repo. Then the build.gradle file is visible to other people. In this case Android recommends to replace the signing information with Gradle properties. In this case you can keep the signing information private and secure. For more information look at the official Android documentation.


Thank you for your detailed answer.

So, to summarize - the Dyantrace gradle plugin replaces the apk with an instrumented one, that also gets the Signing info from the Android Studio. Is that right?

We will go over the apk again if that is the case.

Regarding the Signing info in the build.gradle - thank you for clearing that up. The reason we thought it is not secure is this (from the Android documentation):

"Configure Gradle to sign your app"

"Note: In this case, the keystore and key password are visible directly in the build.gradle file. For improved security, you should remove the signing information from your build file."

But if that means it is only visible if the gradle file is in a public repo than is not an issue.

Thank you,

Yair


So, to summarize - the Dyantrace gradle plugin replaces the apk with an 
instrumented one, that also gets the Signing info from the Android
Studio. Is that right?

Yes. Technically the Dynatrace Gradle plugin gets the information from the Android Gradle plugin. Therefore it should make no difference which approach you use.

"Configure Gradle to sign your app"
"Note: In this case, the keystore and key password are visible directly in the build.gradle file. For improved security, you should remove the signing information from your build file."

Normally you don't want to store the keystore file and the password in a repo, because not every person that works on the app should have access to this information. This information is also stored in the repo history, which makes it hard to remove it at a later time point.

A common scenario is that only the build server has access to the signing information and the app developers have only access to the build results (in this case the APK).


Thank you very much @Thomas W. Helped a lot!