androidfluttergradlechaquopy

App contains embedded private keys or keystore files


i'm trying to publish my app on Play Store, and i receive an error during the progress. Im using a gradle plugin which is "Chaquopy" in this project and found out a warning from Play Store that related to this plugin.

Security Alert: Your app contains embedded private keys or keystore files This app contains one or more private keys or keystore files embedded in its published APK as listed at the end of this message. These embedded items can be accessed by third parties, which can raise a variety of different security concerns depending on what the key is used for. For example, if the private key is the signing key for your application, a third party could sign and distribute apps that replace your authentic apps or corrupt them. Such a party could also sign and distribute apps under your identity. As a general security practice, we strongly recommend against embedding private keys and keystore files in apps, even if the keys are password protected or obfuscated. The most effective way to protect your private key and keystore files are not to circulate them. Please remove your private keys and keystore files from your app at your earliest convenience. For more information about keeping your keys secure, please see https://developer.android.com/tools/publishing/app-signing.html. You have a responsibility as a developer to secure your private key properly, at all times. Please note: Applications with vulnerabilities that expose users to risk of compromise may be considered in violation of our 'Malicious Behaviour' policy and section 4.4 of the Developer Distribution Agreement. assets/chaquopy/requirements-common.imy.UNPACKED_ARCHIVE/future/backports/test/badcert.pem assets/chaquopy/requirements-common.imy.UNPACKED_ARCHIVE/future/backports/test/badkey.pem assets/chaquopy/requirements-common.imy.UNPACKED_ARCHIVE/future/backports/test/keycert.passwd.pem assets/chaquopy/requirements-common.imy.UNPACKED_ARCHIVE/future/backports/test/keycert.pem assets/chaquopy/requirements-common.imy.UNPACKED_ARCHIVE/future/backports/test/keycert2.pem assets/chaquopy/requirements-common.imy.UNPACKED_ARCHIVE/future/backports/test/ssl_key.passwd.pem assets/chaquopy/requirements-common.imy.UNPACKED_ARCHIVE/future/backports/test/ssl_key.pem

I tried upgrade the latest version of Chaquopy plugin but it still not resolve my error here. Please help me with this.


Solution

  • These are some files included with the future package. Chaquopy itself does not use this package, so you must have added it directly or indirectly with one of your pip requirements. However, the files are only test data, which is not a security risk, so the message can be safely ignored.