This week: 6 repos in the scanned fleet exposed this category (14 matches).See Radar #4 →

What it is

A Java keystore (.jks or .keystore) stores the private signing key for an Android app. Google Play uses this key to verify that updates come from the original developer.

Why it matters for AI context

If a keystore is committed, an assistant can read the binary as context, and the file (often alongside its password in gradle config) can be extracted from history. Recovering app signing keys is difficult.

How to keep it out of AI tools

  1. Keep release keystores out of the repo; store them in a secure secrets vault.
  2. Add *.jks and *.keystore to .gitignore.
  3. Add the same patterns to your AI ignore file.
  4. Never commit keystore passwords in gradle.properties.
Add to your ignore file
*.jks
*.keystore
keystore.properties

Ignore files that exclude this

FAQ

Why is the signing key so important?
It is the identity Google Play uses for your app. Losing control of it can let someone push malicious updates to your users.

Check your own project

158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:

Run the same local check with Offsend CLI:

brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-run

Everything runs locally. No file contents are uploaded.