Code Transparency For App Bundles in Android 13

Last Updated : 03 Feb, 2023

Before shipping any new apps, you may want to have a better understanding of how things will work if you can have better code transparency to deliver your app bundles to the user. Perhaps a better signing mechanism or something like that in place. For apps released using the Android App Bundle, code transparency is an optional code signing and verification approach. It makes use of a signing key for code transparency that is only owned by the app developer. You can sign in your code with the native method which is built into the Android Studio, or you may alternatively enroll yourself in Google Play Signing, but altogether, you need to sign up your app before it gets to the public, and for that Android 13 can help you by adding more transparency. In this Geeks for Geeks article we will learn how you can adopt this new mechanism.

How Code Transparency is Better than Usual Signing?

Regardless of the signing method used for program bundles and APKs, code transparency exists. When using Play App Signing, the app signing key is kept on Google’s secure infrastructure separately from and distinct from the code transparency key.

Image #1: Understanding the Code – Transparency

Current Downsides of Using Code Transparency (Up-until Android 13)

Everything has some limitations and similarly does Code Transparency, we will now discuss them:

Apps that include the sharedUserId manifest property:
It is challenging to guarantee that such programs are executing the code they claim to be, as they may share their process with other applications.
The code transparency verification will not work for apps that use anti-tamper protection or any other service that modifies the source code after the code transparency file is generated.
Applications that use feature modules and older Multidex on API levels lower than 21 (Android 5.0). On Android 5.0+ devices, when the program is installed using Google Play, code transparency will still function.
Older OS versions will not support code transparency.

GeekTip: Code transparency verification is only used by developers and end users to check that the code they are executing is the same as the code that was created and signed by the app developer.

Understanding Code Transparency introduced in Android 13

The code transparency file is propagated to the base APK built from the app bundle (specifically to the main split of the base module).
It can then be verified that:

The DEX files which are present in the files are checked.
The public key which Google Play generates is acquired for step 3,
When we combine the logic of both the DEX values and the public key which is available we can check if ever the signature was compromised or not.

How to Add Code Transparency?

The first thing you will need to ensure is to opt-in for Google Play signing your keys, otherwise, you will not be able to use the CT feature as discussed in this article. Once you are part of this program, you need simply need to make a few changes to your app, so that it supports this functionality natively.

Step #1: Using the Gradle

You can add the functionality by starting by adding these lines in the Gradle File, Version 7.1.0-alpha03, or later the Android Gradle plugin is required for code transparency support. Add the following to the bundle block to customize the key used for code transparency signing:

Kotlin

android { 
    ... 
    bundle { 
          // Add these lines to your app's gradle file 
        codeTransparency { 
            signing { 
                courseName = "Android"
                coursePass = "gfgAuth"
                gfgPassowrd = file("pathtostore") 
                gfgStoreLatchLock = "SOME_KEY"
            } 
        } 
           // Additional code as per your requirement goes here. 
    } 
}

Step #2: Run the Bundle Tool to generate keyscapes

The key used must not be the app signing key used by Play App Signing but one that you will exclusively use for code transparency. You will then need to run the following command in Android Studio to get your bundleTool working on the command line. To add code transparency to an Android App Bundle, enter the following command:

bundletool add-transparency \
  --bundle=/gfgApp/gfgApp.aab \
  --ks-pass=file:/gfgApp/keystore.pwd \
  --ks-key-alias=gfgAlias \
  --output=/gfgApp/gfgApp.aab \
  --ks=/gfgApp/keystore.jks \
  --key-pass=file:/gfgApp/key.pwd

With this you have successfully added Code Transparency to your app, now you may wish to check if the code added by your works or not, so in the next step we will check how to see if your implementation is working or not.

Verifying Code Transparency

Code transparency in an app bundle or an APK set can be verified with bundletool. To print the public certificate fingerprint, use the command check-transparency:

# For verifying if the CT was added to the bundle:
bundletool check-transparency \
  --mode=bundle \
  --bundle=/gfgApp/gfg_App_With_Courses.aab

Conclusion

For apps released using the Android App Bundle, code transparency is an optional code signing and verification approach. It makes use of a signing key for code transparency that is only owned by the app developer. Hope this article helped you learn something new today, and that you will be implementing Code Transparency in your Android app, to get better results and even efficient task loads.

Suggest improvement

Change Transparency of an Image in Android Jetpack Compose

Share your thoughts in the comments