They can't do anything bad to you with a signed .apk. They can't do anything but install it, or perhaps redistribute it -- but they'd be able to do that anyway.
A signed .apk does NOT contain ANYTHING from your keystore, except your PUBLIC certificate, which serves to identify who signed it. The whole point of signing something, is so you can give it out, and it can be verified (1) as being from you and (2) as being unmodified since you signed it. If they modified it, it will no longer bear your valid signature. Here's how that works. When you sign it, your public key (part of your public certificate) is attached, along with a secure checksum of the entire file, encrypted with your PRIVATE key. To verify it, you checksum the file again, and decrypt that encrypted checksum, and compare. They should match. If they don't, either the file has been modified, or the encrypted one was NOT encrypted with your PRIVATE key. But the recipient of the signed artifact never sees your private key, just your public one. Ideally, they'd also include a timestamp from a timestamp service, to show when it was signed, so you can verify that it was signed within the validity period of the certificate. It doesn't, though, which is unfortunate. Timestamp services work about the same way. My guess is they want to be able to run your application, to be able to see the strings used in context. Context matters to localization. Short strings, especially, may be ambiguous when just viewed from strings.xml. To do a good job of translation, you really need to see the application. I'd be suspicious of anyone just requesting strings.xml. Ideally, they'd request strings.xml and a signed app (or maybe extract strings.xml themselves, if they're clever), give you back a localized version of strings.xml to include, and then you send them a NEW signed app, with the localized strings.xml included, for them to review, both for accuracy, and for changes between versions (new strings, changed text). If I were offering a translation service, that's how I'd do it. On Aug 10, 2:20 am, Droid <rod...@gmail.com> wrote: > I have an email wanting to localise an APK. But I have to email him/ > her a signed APK. Is that safe, I mean can they access my merchant > account or something horrible like that if they get my key store? -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
