Application Certificates and Provisioning Profiles

Apple employs elaborate workflows to sign an app but more importantly to prevent application distributors from circumventing the AppStore. Android uses a simpler workflow mainly to sign the application and prevent rogue apps from getting installed and taking advantage of the users.

Apple has strict processes around acquiring device provisioning profiles. A developer's account is required and the profiles are generated by Apple and downloaded from the portal of the developer. Refer to the corresponding documentation from Apple to get more details. Provisioning profiles are application specific so they should be managed together with the applications. In addition, the machines responsible for building the iOS binaries (.ipa) must be configured with the certificates associated to the provisioning profiles. Finally, devices used for QA testing must have the provisioning profiles installed to be able to run the application.

Google allows applications to be distributed outside of the marketplace, for instance through a simple URL. As a result, the deployment of Android applications is much simpler. All that is required is valid key pairs which development organization can generated themselves. You can use any standard private key generation tools such as the keytool included in a JDK. They only need to be generated once per organization and can be used for signing all Android apps. All build machines should be configured to have access to the private key. Finally, Android devices can be configured to install and run applications signed with the default 'debug' certificate if you don't want to use the official private key during development.

References

Feedback