As a potential start up that is releasing an Android application, I need to sign the application with a certificate. I'm wondering if I should use a self-signed certificate or should I use a certificate signed by a certificate authority?
If I should use the latter, what is process for obtaining a certificate and getting it signed by a certificate authority?
According to the Android developer site, you can use self-signed certificates to sign your applications. No certificate authority is needed. To quote the site:
The certificate does not need to be signed by a certificate authority: it is perfectly allowable, and typical, for Android applications to use self-signed certificates.As far as the process for signing your application, take a look at the link I provided. That page has a ton of information regarding signing your application. Here's an excerpt:
When you build in release mode you use your own private key to sign your application. If you don't have a private key, you can use the Keytool utility to create one for you. When you compile your application in release mode, the build tools use your private key along with the Jarsigner utility to sign your application's .apk file. Because the certificate and private key you use are your own, you will have to provide the password for the keystore and key alias.If you were developing a Windows application I would say that using a certificate authority is a must, since the end user receives a terrible warning without it. However, Android doesn't warn end users in that way.
Here's a Google Groups thread, which mentions the same thing.
If you still want to pursue purchasing a code-signing certificate from a trusted source, the process is fairly straightforward.
The Android Application should have the certificate's like SSL certificate's because these day's The Android Apps are causing major security problem in mobile industry.So it has to build with more security options.