I am creating a white label application for Android.
This means I automate the creation and updating of thousands of Android apps for different customers. Each app uses a different configs, so they are all slightly different depending on the customer needs (e.g. theme, logos)
Android apps needs to be signed using a key.
My question is how should I go about handling signing the different apps for different customers.
The solutions I had are as follows:
1. Store a different keystore for each app with the same password
- I would create a different key store for each app, containing a single key
- I will then store this keystore in a S3 bucket.
- I could have all the keystores with the same simple password (as blank is not allowed, or causes problems).
2. Store a different keystore for each app with different auto-generated password
- Same as (1), but have a unique auto-generated password for each key store.
- The password would be stored in the MySQL database as plain text (or perhaps encrypted by the same key).
- This seems like security by obfustruction. Hence I was thinking for going for method (1).
3. Create a single key store stored in S3, with a different key for each app
- I could also create a single key store stored in a S3 bucket
- Each app would be a key in the key store
- Each key could either have the same password like in (1), or different like in (2)
- I imagine the issue with this is that the keystore could get quite large when there are thousands of keys.
The solution I was planning to go for was (1).
Which solution would be best? Are there any better solutions? Are there pro's and con's that I have not discovered?