Writing and running Android applications for your own amusement is all well and good, but the point of creating new applications is to share them with others, whether you charge money for them or give them away for free. Google has created Android Market just for that purpose. Anyone with a connected Android phone can open the Android Market application and immediately download any of hundreds (soon to be thousands) of applications expressly designed for Android. These applications range from the very practical (Navigation, Timesheets, File Managers, etc.) to the downright silly (applications that make rude noises for the fun of it). There are a number of steps any application developer will go through in preparing and submitting an application to Android Market:
Thoroughly test the application—at least with the Android emulator, but also with as many actual Android devices as you can lay your hands on. There is no substitute for testing applications on real phones under real mobile network conditions to prove that they work as you intend. The last thing you want is thousands of people upset with you because your application doesn’t work the way they expect it to.
Decide whether you’d like to add an End User License Agreement (EULA) to your application. This is normal practice in the industry (it’s the “click to accept” license that you see when you download an application, even on desktops), and is strongly advised. You can create your own license using one you’ve seen that you like, or you can have a lawyer create a new one for you. Again, you don’t have to have a EULA to submit your application, but it is strongly advised.
Create the icon and label you want displayed for your application in the Application Launcher, and attach them to your application.
Clean up the application for release: turn off debugging, get rid of any extraneous print or logging statements that you had in for debug, and take a final look at the code to clean it up.
Make sure you’ve included a version number and a version name in your manifest file, and of course, bump the version number if this is a new version of a previously released application.
Create a signing certificate, and, if needed, a Map API Key, as described in this chapter.
Recompile your application for release using Android Tools.
Sign your application using jarsigner
and your signing
certificate.
Retest your signed application to be sure no errors were entered during the process.
You’ve probably been developing your application using the Android Emulator that is part of the Android Developers Kit. If you haven’t already done so, take the time to load your application on a real Android device (such as the T-Mobile G1 phone), and test the application again. The emulator is very good, but there are a number of things that can be different between the desktop emulation and a real device:
The Android SDK emulates a device like the T-Mobile G1, with a half VGA screen (320×480), roughly 3.2 inches in diagonal measure. Real Android devices will have a variety of screen shapes, sizes, and resolutions, so you need to know how your application will function on those different devices.
The SDK emulates only portrait mode, with the screen taller than it is wide. Many Android devices (including the T-Mobile G1) support switching screen orientation, and you need to be sure your application behaves appropriately in all orientations.
The emulator uses mouse clicks and movements to mimic the touchscreen on a real device, but there’s nothing like a real touchscreen. On a real device you can get a much better sense of what it will be like for users to interact with your application.
On the emulator, you are using your PC or Mac to emulate an ARM processor. The application’s speed is tied to the speed of your underlying host processor, which typically consists of multiple multigigahertz multiprocessors. If your application is at all performance sensitive, you’ll want to see how it functions on real devices. Similarly, the emulator is using your host’s network connection, which may be broadband, to access the Internet. On a real device your network connection will either be WiFi or a mobile network (GPRS, EDGE, HSPA, or 3G, depending on your location), and the connection’s speed and latency will be changing as the phone moves around. You want to know how these factors affect the operation of your application, and how it appears to the user.
The emulator is quite flexible, and some of these things can be tested to some degree by manipulating the emulator setup in DDMS (see DDMS: Dalvik Debug Monitor Service for more about DDMS). But again, it is important to stress that nothing can replace testing on real Android devices.
Virtually every application that you download onto a desktop or notebook computer will contain an End User License Agreement. You should seriously consider whether you want to attach such a license to your application and have users agree to it before they install the application on their phone. Typically it limits what users are allowed to do with the application, defines whether it can be used for commercial purposes, specifically does not allow reverse engineering, and tries to protect you, the author, should something go wrong and someone has reason to bring a lawsuit against you. There are many such EULAs available on the Internet. You can either adopt one of those as your own or hire a lawyer to create a unique one for you, but the use of a EULA is strongly advised.
When your application is installed (on either the emulator or a real device), an icon and a label are placed on the Application Launcher that is part of your Android Desktop. This is how most users will launch your application, so you need a small graphic (in the form of a PNG file) for the icon, and a short label for your program. Icons are small square (64×64 pixel) pictures. Figure 7-1 shows the one we used for MJAndroid.
The icon and the label are both assigned in the AndroidManifest.xml file. Here is the section of the file for MJAndroid that defines the icon (in the file icon2.png, located under the res/drawable directory) and the label (from the strings.xml file under res/values):
<application android:icon="@drawable/icon2" android:debuggable="true"> <uses-library android:name="com.google.android.maps" /> <activity android:name=".MicroJobs" android:label="@string/app_name"> <intent-filter> ...
If you’re like most developers, your path to completing your application was not linear. You tried some things, kept some, stopped using others, put in diagnostics when things didn’t work quite right, named some things that you later wished you’d named differently, and so forth. Now is the time to clean all that up. Once your application is out in the real world, you’ll have to support this version, and it would be good for you if the code were as clean as possible:
Turn off debug and logging code. You don’t really want your
deployed application eating up precious mobile phone storage by
generating logfiles, and the user won’t be able to understand your
debug messages anyway. If you haven’t already, create a boolean to
switch them off and leave them off for now. And remove android:debuggable=true
from
the AndroidManifest.xml file
(see the earlier example) to make sure debug is turned off.
Clean up your code wherever possible. Make the naming consistent, reorder methods in some reasonable way, and try to improve readability. Even if you’re the next person to look at it, you won’t remember what you did six months from now.
Remove any test data that you included—particularly anything that’s private or proprietary (like your name and address in a Contacts database).
Delete any extraneous files from the project: old logfiles, source files that you no longer include in the application, etc.
All applications submitted to Android Market must be versioned and named. You do that with simple statements in AndroidManifest.xml, as shown in the following segment of MJAndroid’s manifest:
<?xml version="1.0" encoding="utf-8"?> <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.microjobsinc.mjandroid" android:versionCode="1" android:versionName="1.0">
Obviously you want the version numbering and naming to make
sense. Android Market really only cares about the versionCode
, which needs to be monotonically
increasing for each release of your application, so a downloading
device will know when to upgrade to new versions.
Before you can publish your application to Android Market and have every Android user in the world download it, you first must sign your application. In fact, you’ve been signing your application all along, because the Android Software Development Kit generates a debug signature that is used every time you run your application from Eclipse. The catch is that you cannot use the debug signature to publish your application to the world at large; you must generate a new signature.
If you’re familiar with other mobile development environments (J2ME, Symbian, BREW, etc.), you’re probably an old hand at signing applications. But if you’re new to developing mobile applications, you may be asking yourself what all this signing stuff is for, anyway. Android uses application signing for only one purpose: to ensure that applications that claim to be from the same developer actually are. Applications from the same developer have special capabilities, discussed in the next section.
Google has stated that one of its intentions with Android was to
minimize the hassle of getting applications signed. You don’t have to
go to a central signing authority to get a signing certificate; you
can create the certificate yourself. Once you generate the
certificate, you can sign your application using the jarsigner
tool that comes with the Java JDK. Once again, you don’t
need to apply for or get anyone’s approval. As you’ll see, it’s about
as straightforward as signing can be.
To sign your application, you are going to create an encrypted signing certificate and use it to sign your application. You can sign every Android application you develop with the same signing certificate. You can create as many signing certificates as you want, but you really need only one for all your applications. And using one certificate for all your applications lets you do some things that you couldn’t do otherwise:
Signing certificates are tied to the application package name, so if you change the signing certificate you use with subsequent versions of your application, you’ll have to change the package name, too. Changing certificates is manageable, but messy.
When all your applications share the same signing certificate, they can run in the same Linux process. You can use this to separate your application into smaller modules (each one an Android application) that together make up the larger application. If you were to do that, you could update the modules separately and they could still communicate freely.
Android lets you enable or restrict access to parts of your application based on the requester’s signing certificate. If all your applications share the same certificate, it’s easy for you to reuse parts of one application in another.
One of the things you’ll be asked when you generate a key pair and certificate is the validity period you desire for the certificate. Google recommends that you set it for at least 25 years, and in fact, if you’re going to use Android Market to distribute your application, it requires a validity date at least until October 22, 2033 (25 years to the day from when they opened Android Market) for your certificate.
To generate a pair of public/private keys, use a tool called
keytool
, which came with
the Sun JDK when you installed it onto your development computer.
keytool
asks you for some
information and uses that to generate the pair of keys:
A private key that will be kept in a keystore on your computer, secured with passwords. You will use the private key to sign your application, and if you need a Map API Key for your application, you will use the MD5 fingerprint of the signing certificate to generate the Map API Key.[1]
A public key that Android can use to decrypt your signing certificate. You will send the public key along with your published application so that it can be made available in the runtime environment. Signing certificates are actually checked only at install time, so once installed, your application is good to run, even if the certificate or keys expire.
keytool
is pretty
straightforward. From your operating system’s
command line, enter something like:
$keytool -genkey -v -keystore microjobs.keystore -alias mjkey -keyalg RSA
-validity 10000
This asks keytool
to
generate a key pair and self-signed certificate
(-genkey
) in verbose mode (-v
),
so you get all the information, and put it in a keystore called
microjobs.keystore
(-keystore
). It also says that in the future you
want to refer to that key by the name mjkey
(-alias
), and
that keytool
should use the
RSA algorithm for generating public/private key pairs
(-keyalg
). Finally, we say that we’d like the key
to be valid for 10,000 days (-validity
), or about
27 years.
keytool
will prompt
you for some things it uses to build the key pair and
certificate:
A password to be used in the future when you want to access the keystore
Your first and last names
Your organizational unit (the name for your division of your company, or something like “self” if you aren’t developing for a company)
Your organization name (the name of your company, or anything else you want to use)
The name of your city or locality
The name of your state or province
The two-letter country code where you are located
keytool
will then
echo all this information back to you to make sure it’s accurate,
and if you confirm the information, will generate the key pair and
certificate. It will then ask you for another password to use for
the key itself (and give you the option of using the same password
you used for the keystore). Using that password, keytool
will store the key pair and
certificate in the keystore.
You can get more information about security, key pairs, and
the keytool
utility on
Sun’s website at http://java.sun.com/j2se/1.5.0/docs/tooldocs/#security.
When you’re creating and debugging your application that uses a MapView,
or when you’re running a demo application like MJAndroid, you still
need a valid Map API Key to get map tiles from Google Maps, and you
need the fingerprint of your debug signing certificate to obtain a
Map API Key. You can’t just use the apiKey
that we have coded into the
MJAndroid source files, because it is tied to the signing
certificate that was generated by our debug environment. Your debug
environment will generate its own, different signing certificate for
you to use, so you need to obtain a Map API Key to match.
There are two steps to getting the key:
Get a copy of the MD5 fingerprint for your Debug signing certificate.
Use that fingerprint to obtain a valid Map API Key from Google and enter it into AndroidManifest.xml.
When the Android SDK automatically generates a Debug signing certificate for you, it places it in a keystore called debug.keystore. The trick is to find this keystore. At least for the current version of the SDK, as this is being written, the location is operating system dependent:
Under Linux and Mac OS X, it is in the .android subdirectory under your home directory: ~/.android/debug.keystore.
Under Windows Vista, it’s a little harder to find; it’s
under your personal Application Data directory:
C:Usersyour_username
AppDataLocalAndroiddebug.keystore.
Windows XP is similar to Vista: C:Documents and
Settingsyour_username
Local
SettingsApplication DataAndroiddebug.keystore
(unlike Vista, you will need to use a quoted string for the XP
shell).
Once you’ve found debug.keystore, keytool
can give you the MD5 fingerprint of your Debug signing
certificate. Under Linux or OS X you’d type:
$keytool -list -alias androiddebugkey -keystore ~/.android/debug.keystore -storepass
android -keypass android
For Vista or XP, just substitute the correct location in the
-keystore
option. keytool
prints the date the Debug
signing certificate was created and the MD5 fingerprint. As an
interesting note, Debug signing certificates are good for 365 days
after creation.
Now that you have the MD5 fingerprint of your Debug Signing Certificate, you can use it to get a valid Map API Key for your system.
Now that you have a signing certificate to use for your application, you can apply to Google for a Map API Key. Map API Keys are tied to a signing certificate, so obviously the Map API Key you get will work only with applications signed with the same certificate (another good reason for sticking with the same certificate for all your applications). Getting the key is pretty easy, and it’s free.
When an application that contains a MapView runs, it requests map “tiles” from Google Maps via the Internet. As part of that request, it sends the Map API Key that was obtained when the developer signed up with Google, as well as the MD5 fingerprint of the application’s signing certificate. Google Maps checks to see that the key is registered to a developer, and then checks to see that the Map API Key matches the one on file for applications with that signing certificate fingerprint. If they match, it sends the requested tiles. If they don’t match, no tiles are sent.
So we’re going to need the MD5 fingerprint of the signing
certificate that we just created. Fortunately, keytool
can get that for us:
$ keytool -list -alias mjkey -keystore microjobs.keystore
keytool
asks for the
passwords to the keystore (and key, if they’re different), and
prints out the MD5 fingerprint in hexadecimal. Use your mouse to
copy the fingerprint so you can paste it into the Google page
later.
Now you can go to the Google Map API Key website at http://code.google.com/android/maps-api-signup.html to actually get the Map API Key. The Terms of Service are shown in a text box. Read them, and if appropriate, click on the checkbox that indicates you accept. Paste the MD5 fingerprint into the form, click the “Generate API key” button, and the website will ask you to log into your Google account. If you don’t have a Google account, you can quickly create one on the spot.
Once you log in, the website returns the Map API Key, which can be used with any application that uses the signing certificate whose fingerprint you entered. It’s a long alphanumeric string, so you will want to copy it into your clipboard and paste it into the XML layout file for your Map Activity.
As an example, the XML layout file for MJAndroid’s Map Activity (called MicroJobs) has the following section defining the MapView and the API Key that matches our debug environment:
<com.google.android.maps.MapView android:id="@+id/mapmain" android:layout_width="fill_parent" android:layout_height="fill_parent" android:clickable="true" android:apiKey="0P18K0TAE0dO2GifdtbuScgEGLWe3p4CYUQngMg" />
Of course, you will have to substitute your own apiKey
for ours.
We’re almost ready to sign your
application, but first you need to create an unsigned version that you can
sign with your signature certificate. To do that, in the Package
Explorer window of Eclipse, right-click on your project name. You’ll
get a long pop-up menu; toward the bottom, click on Android
Tools
. You should see another menu that includes the item you
want: “Export Unsigned Application Package...”. This item takes you to
a File Save dialog box, where you can pick the place to save the
unsigned version of your apk
file. It doesn’t matter where you put it—just pick a place you can
remember.
Now that you have an unsigned version of your apk file, we can go ahead and sign
it using jarsigner
.
Open a terminal or command window in the directory where you stored
the unsigned apk file. Here’s the line we used to
sign MJAndroid, using the key we generated earlier in the keystore
microjobs.keystore
:
$ jarsigner
-verbose -keystore microjobs.keystore MJAndroid.apk mjkey
Congratulations! You now have a signed version of your application that can be loaded and run on any Android device. But before you send it in to Android Market, there’s one more intervening step....
If everything went smoothly, your application is now signed and will function just as well as it did before you went through this process. But to be sure things went smoothly, it is wise to retest your application, again testing on real Android devices where possible. You really don’t want thousands of people downloading a broken application attributed to you, so just to be safe, retest on as many Android devices as you can get your hands on.
After you’re satisfied that your application runs as expected on real Android devices, you’re ready to upload to Android Market, Google’s service for publishing and downloading Android applications. The procedure is pretty straightforward:
Sign up as an Android Developer (if you’re not already signed up).
Upload your signed application.
Go to Google’s website at http://market.android.com/publish, and fill out the forms provided. As this is written, Android Market is still in beta, and you will be asked to:
Use your Google account to log in (if you don’t have a Google account, you can get one for free by following the Create Account link on the login page).
Agree to the Android Market Terms of Service.
Pay a one-time fee of $25 (payable by credit card via Google Checkout; again, if you don’t have an account set up, you can do so quickly).
The forms ask for a minimal amount of information—your name, phone number, etc.—and you are signed up.
Now you can go to http://market.android.com/publish/Home to upload your application. To identify and categorize your application, you will be asked for the following:
The apk file of your application, signed with your private signature certificate.
These are very important, because they are the core of your marketing message to potential users. Try to make the title descriptive and catchy at the same time, and describe the application in a way that will make your target market want to download it.
There are currently two choices: Applications or Games.
The allowable list of categories varies depending on Application Type. The currently available categories for Applications are: Communications, Demo, Entertainment, Finance, Lifestyle, Multimedia, News & Weather, Productivity, Reference, Shopping, Social, Software Libraries, Tools, and Travel. For Games, the currently available categories include: Arcade & Action, Brain & Puzzle, Cards & Casino, and Casual.
This must be “Free” under the beta version of Android Market. Google has said they will enable charging for applications in the near future (maybe by the time you read this).
You can limit where your application is available, or choose to make it available everywhere.
Finally, you are asked to confirm that your application meets the Android Content Guidelines and that it does not knowingly violate any export laws. After that, you can upload your apk file, and within a few days your application will appear on the Android Market online catalog, accessible from any connected Android device. There is currently no way to access Android Market directly from your PC or Mac, so you’ll have to use your Android phone to find out when your application is available for download.
[1] If you’re not familiar with MD5, you can find many references on the Internet. For our purposes, you can think of it as a hash algorithm that creates a 128-bit fingerprint of an arbitrarily long string. It is often used to validate downloaded files on the Internet, and here it is a way of conveniently validating and condensing a signing certificate so it can be easily verified and compared by Google Maps.
35.171.45.182