Mobile App Development

Access to stores

If the mobile app is being release in either the Play Store or App Store, then before the start of a project, at least 2 developers should be granted access to the following store accounts:

  • Google Play Console: the Google Play Console is used to publish Android apps to Google Play. The developer account should be managed by the customer, and the developers from Recognize should be invited to either manage the corresponding app (if it was already created in the Google Play Console), or the account, if the app still needs to be created.

  • App Store Connect: via App Store Connect, customers can grant developers access to both App Store Connect, as well as the Apple Developer Portal. The developer account should be managed by the customer. The developers should get the 'App Manager' or 'Admin' role, with the 'Access to Certificates, Identifiers & Profiles' checkbox checked.

Secrets, certificates and keys

During the development phase of a mobile app, developers create and use different kinds of secrets, certificates and/or key(stores). All of these items should be stored in a central and secure location and shared with at least one team member. The following key vaults are allowed:

  • LastPass

Note that these items can be stored on a company owned (encrypted) computer, as long as they are centrally available as well. It is prohibited to use a different key vault, with two exceptions: Bitrise. You are allowed to store keystores, certificates and provisioning profiles in Bitrise, but they also have to be present in one of the allowed keystores. You are also allowed to store your keystore in Google Play, to make use of Play App Signing.

iOS development

Per version of the app, the following files are required to be stored in one of the allowed key vaults:

  • Distribution Certificate (.p12): a distribution certificate manages the signing of an app. It should be stored, along with the password.

  • Mobile Provisioning Profile (.mobileprovision): although not a secret, the mobile provisioning profile of an app should be stored along with the other files for the app.

  • (if applicable) Push Key: a push key is created for a developer account, and should be stored in a secure location. Along with the push key, the team ID and key ID should be stored as well.

Android development

Per version of the app, the following files are required to be stored in the allowed key vaults:

  • Keystore: each environment of the app should have a different keystore. Along with the keystore, the password for both the key store as well as the private key should be stored.

Store Guidelines

Both Google as well as Apple have a review process in place to prevent apps that violate store rules to be present in their store. During the development process, developers should be aware of those rules, and any mitigations should ideally be applied during development. To stay up-to-date with the guidelines, a monthly summary of any changes will be provided during the technical briefings.

The guidelines for the App Review Process from Apple can be found at: https://developer.apple.com/app-store/review/guidelines/

The guides for Play Store review process from Google can be found at: https://play.google.com/about/developer-content-policy/