Is there a way to determine whether an Android application is signed for production or debug at runtime?

Question

Is there a way to determine whether an Android application is signed for production or debug at runtime?

Answer 1

Yes, but no 100% reliable. The default (auto-generated) certificate has the DN 'CN=Android Debug,O=Android,C=US' as described here. If you check the DN and it matches the default, it is most probably the debug certificate. Nothing prevents people from generating their own debug certificate or using the same one for production and debugging though.

You can get the signing certificate using PackageManager. Something like:

PackageManager pm = context.getPackageManager();
Signature sig = pm.getPackageInfo(getPackageName(), 
   PackageManager.GET_SIGNATURES).signatures[0];
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(
    new ByteArrayInputStream(sig.toByteArray()));
String dn = cert.getIssuerDN().getName();