Google Play, and a sideways jaunt into R53, S3 and Cloudfront

Posted: 06 March, 2023 Category: backend Tagged: Google Playandroidawsroute53s3cloudfront

I couldn't believe it: was noodling around with Kotlin. Built a cute lil newbie quiz app. Thought it'd be even cuter to try and push it to Google Play Store, forgetting that we can't have nice (or at least, in this specific instance, simple) things. Bad people have been abusing the ability to push malicious apps onto Play Store while pretending to be other people, I guess? I dunno. But suffice it to say that it is not a walk in the park to just hurl an app at the world.

The app

Seasoned kotlin devs, UX designers, avert your eyes. emoji-see_no_evil

In Play Store Start Screen Screenshot
In Play Store The start screen Random screenshot

BEYOND silly. But it's job was to give me a reason to sniff-test the whole "publishing an app" experience.

The publishing process

While I've worked on an android app before, it was via React Native and I was decidedly not part of any publishing/deployment shenaniganry. Hence my curiosity:

When I tell you that Google would've happily taken stool samples, on top of everything else. I had to fess up photographic ID, address, phone number AND money, lol. But the kicker, folks... the kicker ended up being the need for a whole privacy page for this dinky little app.

I either dropped the ball during the rest of the Spanish-style inquisition (perhaps I had bad answers for "Will children use this app?")... or, newer versions of the inquisition no longer care about exempting anyone from such things as having a privacy policy. There was no way to plaintively point out that "OK but... I ... I don't even KNOW how to collect anyone's info, OK? Like, I'm LEARNING kotlin, kottdammit..".


  • emoji-calendar The whole account creation part takes a couple of business days end to end and just verifying my ID took about 5 to 6 hours within that.
  • emoji-globe_with_meridians Turns out you can pick which countries to release to! The folks I would subject to this underwhelming experience were strung out on either side of the atlantic, so I picked Canada + those countries. I've done what I can to prevent the rest of the world from stumbling upon this, OK? emoji-expressionless
  • emoji-warning There's a choice between letting google handle the app signing keys or signing yourself. My intention was to do the latter, but in the gamut of confusions that is the play store UX itself, I think I actually gave up and let it just handle this part (even though, afaik, I did upload an already signed bundle?). In short, I couldn't get it to take an .apk; had to backtrack and build an .aab to sate the Android gods.

The privacy page

The obvious choice would've been just to stick up a page on here. Nothing on here requires a privacy page tho. Still, I could've just quietly added one. Otoh, I was eventually gonna have other apps, and I wanted them all to be sandboxed somewhere away from NTM; to froth forth out of the ether and die back into it, based on my whims and ideation/experimentation rates. I mean I had already bought a domain for precisely that. It was just sitting there, in R53, bored.

emoji-bulb S3 to the rescue! I mean, it's just a static page, right?!

  • OK so I stuck my page and it's silly lil header image into S3. Hahahaaa!! Yes! Revisiting the halcyon days of raw html and inline css! Omg can't remember the last time I did that.
  • But do I want to expose the bucket to the world? Well, "start as you mean to go on", as they say, so... No. Ach, so we're gonna need cloudfront then. Damnit this was supposed to be a cheap n' simple solution.

emoji-earth_africa Cloudfront with R53

  • OK created my distribution to front my S3 bucket, let it update the bucket policy and such.
  • Went back into R53 and created an Alias record for my cloudfront distro.
  • But wait... don't I need to expose this as an https endpoint? emoji-thought_balloon you know the goog LURVES them some https and a bare http endpoint prolly won't pass muster and might invite further inquisitions. Ach, so I'm gonna need an SSL cert. DAGNAMMIT!!

emoji-scroll Freebie ACM SSL cert

  • OK so this was actually fun; using dns to do the verify run simplifies things a lot. Nevertheless, I goofed up: an overzealous *.mydomain.tld does exactly what it says on the tin and does NOT, in fact, "cover everything". So natch, Cloudfront balked, complaining that I was trying to feed it certs for *.mydomain.tld while asking it to explicitly serve mydomain.tld. LOL emoji-see_no_evil. OK so a second cert, then, this time for mydomain.tld.
  • I couldn't be bothered to forward the www subdomain after all, cos (i) ideally noone even gets to these pages and (ii) I vaguely remember that R53 charges for subdomains / CNAME records? Otoh it seems I need to keep the CNAME recs used for the verification runs, as they're used when the certs renew. Oh well.

Look forward to using the sandbox domain more, for future experiments.