🚨 Common Error Message

“Your Android App Bundle is signed with the wrong key.”

The SHA1 fingerprint doesn’t match the one Google Play expects.

This usually happens if you’re signing your AAB with a different key than the one originally used to upload the app. Don’t worry — it can be fixed!

Step 1: Understand App Signing on Google Play

Google uses App Signing by Google Play to manage your production signing key, but you still need to upload new AABs using your Upload Key. If you’ve lost access to your original upload key or created a new one in Appos, Google will reject the update unless you request an upload key reset.

Step 2: Set Up Your Tools

Before proceeding, make sure you have the following installed:

• Java Development Kit (JDK) – Recommended: JDK 17+
• Download here
• keytool – Comes with the JDK
• (Optional) Python – For AAB inspection or tooling (not required for key reset)

Run the following to confirm setup:

java -version
keytool -help

Step 3: Inspect Your Current Keystore

If you already have a .jks file (Java keystore), examine it by running:

keytool -list -v -keystore my-release-key.jks

Look for:

• Alias name (my-key-alias)
• SHA1 fingerprint
• Certificate validity period

You’ll need this info shortly.

Step 4: Generate Your .PEM Upload Certificate

Google requires a .pem file to verify your new upload key. Generate it with this command:

keytool -export -rfc \
 -keystore my-release-key.jks \
 -alias my-key-alias \
 -file upload_certificate.pem

Make sure this command is run in the same directory as your .jks file.

Step 5: Request an Upload Key Reset in Google Play Console

Now that you have your .pem file:

1. Go to your app in Google Play Console
2. Navigate to Setup → App Integrity
3. Scroll to Upload Key Certificate
4. Click “Request key reset”
5. Upload the upload_certificate.pem you just created
6. Provide your keystore alias and password when prompted

Example:

• Alias: my-key-alias
• Password: yourPassword123

Note: Google may take 1–2 business days to process this.

⚠️ Bonus Tip: Device Compatibility Warnings

Sometimes, after uploading a new build, you’ll see a warning:

“This release will cause a significant drop in the number of devices your app supports.”

Here’s what to check:

• minSdkVersion: Lower it if possible
• Manifest permissions: Avoid requiring hardware (like camera, GPS) unless necessary
• ABIs & screen support: Ensure all common types are included

You can adjust these in your Appos build settings or contact support if you’re unsure how.

✅ Final Checklist

• JDK & keytool installed
• Existing keystore inspected
• .pem certificate generated
• Upload key reset requested in Play Console
• Device compatibility reviewed (optional)

Let us know if you hit any snags—we’re here to help. Happy publishing with Appos Studio!

We’re thrilled to share that a major wave of new native iOS integrations has officially entered QA testing—a key milestone that brings Appos Studio closer to unlocking powerful, system-level capabilities for your apps.

If all goes smoothly during this QA phase, you can expect this expanded functionality to roll out to Appos Studio users soon. These integrations will allow your apps to tap into iOS device features with greater precision and control, enabling more personalized, interactive, and utility-driven experiences for your users.

Here’s a sneak peek at what’s in the pipeline:

• Photo Library (Full Access)
• Photo Library (Add Only)
• Temporary Location Access
• Health Data Sharing + Update
• Motion Activity + Sensor Access
• Contacts, Calendar, and Reminders Access
• Bluetooth (Always + Peripheral Access)
• Local Network Access
• Speech Recognition + Siri Access
• Media Library + Apple Music Access
• Face ID Access
• NFC Reader Access
• Improved User Tracking Access
• On-Device Machine Learning Access

These integrations allow your apps to connect more deeply with the Apple ecosystem, unlocking everything from biometric authentication and voice control to passive health monitoring, real-time location data, and even personalized music experiences through Apple Music.

Most of these native permissions will be available exclusively on iOS devices to start, but rest assured—we’re actively working on expanding compatible integrations for Android where applicable.

We’re excited to see how you leverage these tools—whether you’re building wellness apps that sync with HealthKit, social platforms that access photos and contacts, or smart tools that respond to motion and voice input, the possibilities are bigger than ever.

We’d love to hear what new features or functionality you’re planning to add to your apps using these integrations. Drop your ideas, use cases, or questions in the replies—we’re listening!

Stay tuned for updates as we get closer to launch.

—The Appos Team 🚀

Apple’s recent iOS 18.4.1 update introduced several critical changes to WebKit, which directly affect how cookies are handled in WKWebView—particularly for apps that rely on web-based content.

We’ve already made substantial updates to the Appos Studio codebase to stay ahead of these changes, but we’re also encouraging all users to verify their own website/server configurations to ensure full compatibility going forward.

🔧 Required Server-Side Cookie Settings for iOS 18.4.1:

To maintain proper session behavior and data handling within WKWebView, your server should set cookies using the following attributes:

• SameSite=None
  • Allows cookies to be sent with cross-site requests. This is critical for apps using WKWebView in iOS 18.4.1.
  • Example: Set-Cookie: csrf_token=abc123; Path=/; Secure; HttpOnly; SameSite=None
• Secure
  • Ensures cookies are only transmitted over HTTPS, per Apple’s enhanced security policies.
• HttpOnly
  • Protects cookies from JavaScript access, improving overall security.

These settings have become essential due to changes in iOS 18.4.1’s cookie policy and how WebKit now treats cross-origin traffic. You can also reference this ongoing discussion in the Apple Developer Forums for more technical context:

👉 WKWebView cookie issues in iOS 18

If your app or embedded site content is experiencing login/session issues or other unusual behavior on iOS 18.4.1 devices, this is very likely the cause. We’re continuing to monitor developments and will post any additional updates as needed.

Feel free to reply here with questions or reach out to the Appos support team directly for assistance.

Thanks!

Nick @ Appos

To help you comply, here’s a simple PHP script that dynamically disables or enables tracking scripts (like Google Analytics or Facebook Pixel) based on a user’s ATT status. This is especially useful if your website uses these trackers and is being embedded in a mobile app created with Appos Studio.

When to Use This Script

Add this script to your website if any of the following are true:

• You use tracking cookies or third-party analytics tools.
• You’ve converted your website into a mobile app using Appos Studio.
• You’re submitting your app to Apple’s App Store and need to comply with ATT.

How It Works

• Appos Studio (or your client app) sends the user’s ATT status via a custom HTTP header or URL parameter.
• The script checks the status:
• If tracking is denied, it removes cookies and tracking scripts.
• If tracking is allowed, it includes them as usual.

Example Code with Comments

<?php
// Get the user's ATT status from the request
// Priority: Custom HTTP header > URL parameter > Default to "allow"
$attStatus = $_SERVER['HTTP_X_ATT_STATUS'] ?? $_GET['att'] ?? 'allow';

// Check if tracking has been denied
if ($attStatus === 'denied') {
    // Remove any "Set-Cookie" headers to avoid placing tracking cookies
    header_remove('Set-Cookie');

    // Leave tracking scripts out of the page
    $trackingScripts = '';
} else {
    // ATT is allowed: include tracking scripts like Google Analytics, etc.
    $trackingScripts = '<script src="tracking.js"></script>';
}

// Output the HTML with or without tracking scripts in the <head>
echo "<!DOCTYPE html>
<html>
<head>
    <meta charset='UTF-8'>
    <title>My Website</title>
    $trackingScripts
</head>
<body>
    <h1>Welcome to my website!</h1>
    <p>Your experience has been tailored based on your privacy preferences.</p>
</body>
</html>";
?>

Final Notes

• You can customize the trackingScripts variable to include any script snippets (Google Tag Manager, Facebook Pixel, etc.).
• If you’re using a CMS like WordPress, this logic may need to be added as a plugin or directly in the theme’s header.php.

If you’re unsure whether your site uses tracking cookies, it’s better to err on the side of caution and implement this logic.

Let me know below if you need help customizing this for your stack!