Android: why signing configs in Gradle require clear passwords?

Question

There must be something I am missing.

It looks like in order to sign a release APK in Android Studio, you need to hardcode in the Gradle configuration file your signature password and the exact location of your signature file.

Is this really secure?

In Eclipse I was always asked to type the password, and I prefered that way.

Answer 1

you need to hardcode in the Gradle configuration file your signature password

No. You need to supply build.gradle with the keystore password. You can supply that via an environment variable, a separate properties file (e.g., one that is not committed as part of a repo), or any other means you choose that Groovy can handle.

In Eclipse I was always asked to type the password, and I prefered that way.

You can do that too.