Priority: Critical
android/app/build.gradle.kts line 37 uses the debug keystore for release builds:
signingConfig = signingConfigs.getByName("debug")Anyone with Android SDK tooling has the same debug key and could sign a malicious APK that Android treats as an "update" to Hark. Google Play will also reject this.
Recommended fix
- Set up a dedicated release signing config with a securely stored keystore
- Document the signing setup for contributors (without committing the keystore)
- Add
key.properties to .gitignore (already done)
Files
android/app/build.gradle.kts (line 37)
Priority: Critical
android/app/build.gradle.ktsline 37 uses the debug keystore for release builds:Anyone with Android SDK tooling has the same debug key and could sign a malicious APK that Android treats as an "update" to Hark. Google Play will also reject this.
Recommended fix
key.propertiesto.gitignore(already done)Files
android/app/build.gradle.kts(line 37)