Your keystore file and its associated passwords represent your permanent claim to your Android app's identity on Google Play. Losing this key (or having it stolen) has consequences you cannot recover from without help from Google. These best practices are not theoretical: professional Android development teams follow them consistently.
The Core Rules
- Back up your keystore in at least two locations. A single copy on your laptop is not a backup: it's a single point of failure.
- Store keystore passwords in a password manager, not in plain text. Never write them in a README, a text file, a Slack message, or an email.
- Never commit your keystore to a version control system (Git, SVN, etc.). Once committed, credentials are in the history even if deleted. Add
*.jks,*.keystore, and*.p12to your.gitignore. - Separate your credentials from the file. The keystore file and its passwords should be stored independently so that obtaining the file alone is not enough.
Backup Strategy
At minimum, keep your keystore in two separate locations:
- Cloud storage (encrypted): A private folder in Google Drive, Dropbox, or iCloud: not a shared folder. Enable encryption at rest if your provider supports it. Do not share the folder with collaborators unless absolutely necessary.
- Offline backup: An encrypted external drive or USB key stored in a secure physical location. For critical production apps, a safe or secure cabinet is appropriate.
Password managers like 1Password, Bitwarden, or Dashlane support storing file attachments: some teams store the keystore file directly in the password manager entry along with the passwords. This co-locates the file and credentials securely.
Sharing Keys with Collaborators
If you work with a developer, agency, or build service that needs your keystore:
- Share the file via an end-to-end encrypted channel (not plain email). Use Signal, a team password manager's secure sharing feature, or an encrypted email service.
- If possible, create a separate key alias for each collaborator or use upload key rotation when you end the relationship
- When a collaborator relationship ends, rotate your upload key through Google Play Console to invalidate the key they had access to
WebToAppConvert Keystore Storage
When you upload a keystore to WebToAppConvert, it's stored encrypted at rest. The keystore is only accessed during the build process to sign your app. WebToAppConvert employees do not have access to your keystore passwords: the system uses them mechanically without human visibility.
Despite this, downloading your keystore file and maintaining your own backup is strongly recommended. If you later migrate to a different build service or want to build locally, you'll need your keystore file and its passwords.
If You Suspect a Key Is Compromised
If you believe your keystore file and password have been accessed by someone unauthorized:
- If you've enrolled in Play App Signing, request an upload key rotation from Google Play Console immediately
- Change any passwords stored near the keystore (password reuse is a secondary risk)
- Audit your app for any unauthorized updates published to the Play Store
- If an unauthorized party published to your listing, contact Google Play Developer Support
If You Lose Your Key
If your upload key is lost and you need to continue publishing updates:
- Apps using Play App Signing: Contact Google Play support to request an upload key reset. This is a manual process requiring identity verification. Not guaranteed but possible.
- Apps not using Play App Signing: There is no recovery path. You would need to create a new app listing.
This is the strongest argument for enrolling in Play App Signing: it provides a safety net that self-managed signing does not.