Home » Software Security Blog » What Certificate Is Used to Sign Apps?
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
certificate used to sign app

Deep Instinct’s 2020 Cyber Threat Landscape Report shows that malware increased 358% overall in 2020. Thankfully, there’s a certificate you can use to sign apps that helps users determine whether your application is legitimate. Discover which certificate can protect your customers, ensure the integrity of your apps, and increase trust and confidence in your brand.

In a world where software is behind every business, and apps are used and installed on every device, trust and security are paramount. As a developer or publisher, using a digital certificate to sign your apps is the best way to protect their integrity, your users and ensure a smooth customer experience.

App Annie’s State of Mobile 2021 report shows that mobile apps were downloaded 218 billion times in 2020. As of 2018, there were 35 million Windows desktop apps available to download and the figure has continued to grow since that time. Imagine how much damage an attacker could cause by capitalizing on these numbers by creating phony software applications or compromising legitimate ones without users knowing it.

app annie - state of mobile 2021 report
Image Source: App Annie – State of Mobile 2021 Report

Furthermore, according to McAfee Labs Threats Report, in the Q4 2020, they detected 648 new malware threats every minute, representing an increase of 10% versus the previous quarter.

In this article, we’ll discover which type of digital certificate plays a key role in protecting users from downloading and installing malware-infected apps. We will explore how this certificate works and talk about how you can become a trusted developer and get the most out of using it.

What Certificate Is Used to Sign Apps? A Code Signing Certificate Overview

Code signing certificates are small digital files that developers and publishers use to assert digital identity and ensure the integrity of their software and code. How does this help you? The answer is by building digital trust in your brand and products, which nurtures your relationships with customers in this era of digital transformation.

The code signing certificate protects the integrity of your apps, providing an additional layer of security. It uses a private key to sign the code and a public key to confirm its signature. The process of code signing helps you not prove that you legitimately released the software, but it also uses a cryptographic function called hashing to provide a way for users to know whether your software has been tampered with since you originally signed it.

Of course, a code signing certificate is just one of several types of X.509 digital certificates you can use to make your business and/or communications more secure. Other examples include:

  • The S/MIME email certificates. Also known as an email signing certificate, this small digital file enables encrypted email and allows the recipient to verify the message’s authenticity and the sender’s identity.
  • The SSL/TLS certificates. Installed on servers, this website security certificate ensures encrypted and secure communication between the server and the client (user’s web browser).
  • The document signing certificates. Used to digitally sign many types of files, it certifies that the signed document has not been modified and confirms the author’s identity.
  • The client authentication certificates. Often utilized to restrict access to databases, it verifies the identity of an individual or a device in order to establish a secure, encrypted connection to web apps or other resources.
  • The IoT device certificates. It protects connected devices, ensuring a hacker-proof, encrypted communication within the network, which guarantees authenticity and data integrity.

All these certificates are based on asymmetric cryptography and harness the power of public key infrastructure.

Code Signing Certificate Supported Platforms

Code signing certificates support multiple platforms and can be used to sign desktop applications, scripts, mobile apps (depending on how you plan to distribute them, more about it in the following chapter), and other executables.

Here are a few examples of the most known supported platforms:

  • Microsoft Windows. If you’re planning to develop a new app for Microsoft 10, for example, both standard and EV code signing certificates can be used to sign it.
  • MacOS/iOS. You can sign macOS applications using a traditional code signing certificate using the macOS codesign command. However, doing so will require additional steps that are specific to Apple and involve using an Apple-issued certificate as well. (Learn more about signing for macOS and iOS later in the article.)
  • Microsoft Visual Studio. To be able to develop mobile or web apps with Visual Studio, you will also need to have a valid code signing certificate.
  • Java. Apps built on Java can and should be signed with a code signing certificate using the Java Development Kit (JDK).
  • Adobe. Air applications will only work if they’re signed by a code signing certificate (standard or EV, it doesn’t matter) issued by an authorized CA.

… And these are just a few examples. You may have noticed that we didn’t mention Mac OS, iOS or the apps distributed in specific mobile app stores. This is because they’re part of an exceptional group that we’re going to talk about later in the article.

Benefits of Digitally Signing Your Apps (i.e., Why You Should Use a Code Signing Certificate)

The most popular app stores, official vendor sites and operating systems require or, in some cases, at least prefer digitally signed apps. Why? Because code signing has several benefits. Let’s have a look to the most important ones from a developer’s perspective:

  • Code signing protects the integrity of your code. When the hash used to sign the application doesn’t match the hash of the downloaded app, the user gets a security warning. This ensures that even the smallest change, no matter if accidental (file corruption) or intentional (hacker attack) is detected. Of course, all of this happens on the back end, so the user doesn’t have to navigate the cryptographic functions themselves.
  • Code signing certificates validate your identity and promote trust. When the user downloads the app signed with a code certificate, the information about the publisher’s organization details will be displayed as a verified publisher. The user will immediately know that the app has been developed by you and nobody else, which promotes trust in your brands and products.
  • Helps your software stay compliant with industry authentication standards. When you sign your apps with a code signing certificate issued by an approved CA, you’ll always meet the industry authentication standard requirements defined by the National Institute of Standard and Technology (NIST) and the Certification Authority Browser Forum (CA/Browser Forum).
  • Code signing helps increase your revenue through more widespread distribution. Developers who sign their apps can distribute them on a higher number of platforms and app stores, helping them reach larger audiences. This is due to the fact that, in many cases, code signing has become a prerequisite to be able to publish many of the major app stores and platforms.
  • Automatic trust minimizes & eliminates security warnings. When you use a code signing certificate to sign your apps and updates, your customers will enjoy a much smoother download experience. The Windows SmartScreen security warnings will either show your verified identity or the warnings will be eliminated entirely — which depends on the type of code signing certificate you use (we’ll talk more about that later on in this article) — because browsers and operating systems will automatically trust them. This helps to enhance the publisher’s reputation and boost downloads.
  • Now that we’ve seen the key benefits of using a code signing certificate to sign your apps, we can move on and learn how you can improve your reputation and popularity as a developer utilizing a code signing certificate.

Become a Trusted Developer: Discover What Certificate Is Used to Sign Apps That Makes You a Trusted Developer

In today’s digital world, signing apps with a certificate has become essential for all developers who wants to distribute their applications securely over the internet through multiple platforms.

As explained in one of our previous articles, “What Is a Digital Certificate? PKI Digital Certificates Explained,”” there are many types of digital certificates available in the market to address different needs (SSL/TLS, email signing, document signing, etc.). However, there is only one type of certificate that ticks all the boxes for application and script signing: the code signing certificate.

The Two Types of Code Signing Certificate Options to Choose From to Sign Your Public Apps

Depending on the level of security and the Certificate Authority validation process, code signing certificates are classified into two specific types:

Standard Code Signing Certificate

This type of code signing certificate gets issued by a certificate authority (CA) after the trusted authority performs a standard developer’s background check. The certificate confirms to the user the integrity of the app and the identity of the vendor. It offers limited features.

  • During the download, the security warning “Unknown Publisher” usually appearing with unsigned apps, is replaced by a pop-up message showing the developer’s verified organizational details.
verified publisher
  • The private key is stored on the developer’s workstation instead of on a server.
  • It enables you to extend the lifetime of your digital signature through the implementation of timestamping. This way, even when your certificate expires, you don’t have to re-sign every single app. With timestamping your code will remain secure and the users won’t even notice it.

Extended Validation Code Signing Certificates

Also issued by a Certificate Authority (CA), it requires a more rigorous vetting process, but it comes with additional security features.

  • It’s immediately recognized by browsers and operating systems, allowing it to bypass the Windows SmartScreen warnings.
  • It offers enhanced security with two-factor authentication as the private key is stored externally on a secure hardware token.
  • Much like with standard code signing certificates, an EV certificate’s timestamping extends the lifetime of your digital signature through the implementation of timestamping so that, even after your certificate expires, your digitally signed apps are still trusted for years to come.
  • It’s compatible with all major platforms.
  • It supports hardware security modules (HMS), simplifying the management of the certificate and allowing any authorized users within your organization to sign apps with it.

Because of the stronger level of security and the additional features offered, the extended validation code signing certificate is by far the best choice for a developer aiming for the best and more secure customer experience.

What About Self-Signed Code Signing Certificate?

A self-signed code signing certificate is a digital certificate that you create and digitally sign for use within development and testing environments. Because it’s self-signed and not signed by a trusted third party (i.e., a certificate authority), it’s not going to be recognized as coming from a trusted or verified publisher.

Many developers and businesses are tempted to use self-signed code signing certificates to distribute their software or apps, thinking that it will help save money because they won’t have to buy certificates. However, what they don’t realize is that, in the long term, it will end up costing them much more than the simple cost of a certificate. Why?

Put yourself in the shoes of your users: What would you do when you download an app and, when you try to install it, displays scary security alerts like the one below?

unknown publisher warning

You’d stop the installation and go somewhere else right? This is exactly what happens when a customer downloads a self-signed app. They’re likely to get scared off by the warnings and look elsewhere for an alternative product (as they should!). As a result: you’ve lost a customer and your reputation is damaged.

Therefore, while a self-signed code signing certificate can be used for software and applications that are used within testing environments (even if, also in these cases, some concerns could arise), it should never be used to sign applications or other executables that are sold or distributed to the public.

Google Play, Apple App Store and Mac App Store Exceptions

Two of the largest app markets globally, the Google Play and the Apple App Store, have very specific requirements and standards when talking about apps development.

This means if you want to sign mobile apps that you can sell or distribute through the companies’ websites or mobile app stores, then you’ll have to follow their signing process and use their code signing certificates.

  • Google Play. If you’re planning to develop an Android app to distribute on Google Play, you’ll need to:
    • Create a Google developer account, and
    • Sign every app with a specific developer certificate issued by Google.
  • Apple App Store. To sell or distribute your iOS mobile apps via the official App Store, there are some things you’ll need to do first:
    • Create a valid Apple Developer Program account,
    • Follow Apple’s publishing process and
    • Sign your app with an Apple App Store iOS Distribution certificate.
  • Mac App Store. For macOS applications that you want to distribute to users with Gatekeeper-enabled devices, you’d have to follow a similar process:

Now that you’ve learned what certificate is used to sign apps and explored the different types of certs that are available, we can move on and have a look to how a code signing certificate works.

How a Code Signing Certificates Works and How It Looks Like

Using a code signing certificate isn’t complicated. It can be easily incorporated into the development process through an API, streamlining the workflow and simplifying the certificates management process.

Once you’ve purchased and installed your code signing certificate on the platform of your choice (for example, on your Windows device’s MMC or in Firefox’s Certificate Store), you can start signing your app right away. A digital signature will be appended to the code, a hash function will be created, and the output will be encrypted with a private key.

Example of a code signing certificate digital signature and timestamping-related information.
Example of a code signing certificate digital signature and timestamping-related information.

As a result, when the user downloads the app, the user will see a security warning or error message pop up if the hashes or the signatures don’t match. In some cases, depending on the browser or operating system they’re using, the user may also be prevented from downloading the app altogether.

If they match, the user will be confident that your app is safe and that it hasn’t been tampered with. They’ll be able to download it, install it, and start using it.

You can find more detailed information about the code signing certificate architecture and the verification mechanisms of a code signing signature in our latest article, “What Is Code Signing – An In-Depth Look at This Secure Coding Process.

Final Thought on What Certificate Is Used to Sign Apps

Code signing has become an essential tool for developers and software publishers that want to secure and promote their apps. It allows author and integrity verification, enabling users and customers to trust that you’re a legitimate developer or publisher and know that your software hasn’t been altered since it was signed. This is crucial considering that businesses and customers are increasingly reliant on software applications.

Taking into account all that has been discussed in this article, the best answer to the question “What certificate is used to sign apps?” is the following: if you want to ensure immediate trust, enhanced security, and boost downloads of your applications, the best certificate to sign apps with is the EV code signing certificate.

You’ve worked too hard to become a software developer, putting your heart and soul into it to do otherwise. You deserve the opportunity to improve your online reputation among customers, peers, and organizations! Minimize the risks of attacks and make your app shine with an extra security boost! Protect your apps and your customers with a code signing certificate! Your customers will thank you and reward you with loyalty and more downloads.