They have sent me a finished .APK . What other files do I need to request so that somebody else can develop it further in future?
Depending on your contract with the developer, you could also need the source code of the application.
If you ever want to switch to another company or developer, in order for them to continue where the others left, they will need the source code of your app. Without the source code, you cannot make any changes to app and publish new versions of it to the Play Store.
For completeness, mentioning what people said in the comments:
the build files of your project (e.g. Gradle configs)
the signing key used to publish the app on the Play Store
HTH
Related
tl;dr: I'm wondering if there's anyway for me to ensure that the source code I (re)viewed on GitHub for an open-source project was actually used to build the APK I'm downloading from Google Play?
Let's say I want to find an app for encrypting files on my local Android device. There are several apps available when googling, many open-source. As I'm going to encrypt sensitive information, I'd like to ensure it's done correctly (and without bad intent), so I review the source code for the app. All looks okay, so I download the app from Google Play and start using it.
If the developer of the app wanted to, they could just offline modify the source code (in a "private build step", so to say), and inject whatever they want (send the unencrypted file content somewhere, fake-encrypt the files, whatever), build the APK and upload that APK to Google Play instead.
Is there anyway to verify the APK actually came from the source code?
What are the things to do for posting an app to the Android market when posting their first app to the market?
Most of it is explained in official docs, I'll add some points from experience:
Create your key store for App signing. Make sure you put some relevant info in your certificate if your App has copyright. keep a backup and guard it in every possible way, play store only accepts apk updates signed with same key as the original one, so does the device when installing an update.
Finalize your package name, make it unique , in future if you lose the signing key, you will have to re-upload app under a different package name.
Make a thorough review of code, watch out for test code, notes, useless comments and unwanted logging traces you might have placed there. Check your TODO items, run a code inspection from your IDE, remove any critical issues if found. Clear useless jar files, and resources. Also consider externalizing hard-coded strings to xml, so that you can add translations later on.
Check and validate manifest file, update version name and version code. Version name is shown when your app is listed in play store. Version code is incremented whenever you upload updated apk to play store. If its a major release you can bump up version name too.
Finally, build your apk in release mode, and optionally run pro-guard. If your app uses plain vanilla android API and no fancy external libraries such as RoboGuice etc, proguard will run fine. Other wise you will have to tell proguard to ignore classes under those packages. Proguard is optional, you can upload app without using it. Some IDE's have a nice GUI to do this.
Sign your apk with the key you created. Install it on test device, do a test run. Additionally, use emulator to test it across android versions. Take some screen shots, maybe a video too.
Prepare publishing material, write down few lines about your app, a list of features and any additional notes. Also, create a 512x512 icon image for your app.
If you have a website about your App, great, else make ready a valid mail id as a developer contact point.
Log in to developer console, upload apk file, fill in relevant screen shots, description, contact details etc etc. Save and publish. It can take anywhere between 2 to even 9-10 hours for your app to be visible in play store listings.
Your app url will be like https://play.google.com/store/apps/details?id=com.example.myapp. Keep an eye on statistics, put keywords along with app name like "muzo - music player" , most people don't know "muzo" they usually search for "music player". Have your app reviewed, links pointing to your app improve its search ranking.
There is an excelent topic in the android documentation talking about how to prepare your app for release. The procedure is the same for your 1st or you 1000st published app.
Please see here: http://developer.android.com/tools/publishing/preparing.html
PS: And a +1 for you, interesting question.
I wrote an android app for someone, but they want the source code because supposedly they need it to send the app to the android market.
Are they making that up or is that legit? Is there anyway to give them the app so that they can claim credit for it without giving them the source code?
I suppose worst case I could just get their publishing creds and publish it from my computer as though I were them..
Thoughts?
No, you do not need the source code to publish your app on the Android Market (now called Google Play Store). You just need a signed APK file.
No, they do not need the source code, only the unsigned APK. In order for it to be published they will need to sign it using their own fingerprint, but that should allow them to freely publish without having access to the source code. Alternatively, you could sign the APK yourself and give them that, but this might not be preferable for them.
Yes they need a version. However you could just send them the signed apk and let them release it from google.
I want to publish a beta version of some app of mine on the android market and face the problem that I cannot upload an app with the same package-name twice - not even with a different certificate. But having 2 package-names for release and beta version makes a lot of trouble ( e.g. having to change references to the different location of R every time )
Is there a best-practice/good workaround for that problem?
Yes call your package
com.you.app.beta
Fix all the bugs in this app. Then when you go live just copy the project refactor your package name (Eclipse CTRL+ALT+R on the item) update your manifest and re-release. The beta package is then not supported by you any more and you can even click unpublish, or release an update that shows an upgrade screen linking to the new package (i.e. new market url)
com.you.app
What's the problem?
since IO 2013 there is now one option to do beta-testing:
https://support.google.com/googleplay/android-developer/answer/3131213?hl=en
We upload but do not publish beta versions of our apps. Once uploaded, the market will assume that any incoming license check is being done from a legitimate installation that was side loaded and will respond "licensed". So our beta testers can test a full implementation, including the licensing code. (Test account responses are also honored for uploaded but unpublished apps.)
When the testing is complete, we upload the release version using the same package (and signing cert), and publish.
I came across this blog which discuss Android Beta Testing and feels like that the better way. So just sharing with you guys. Hopefully it will be helpful for all . http://zubhium.posterous.com/android-app-beta-testing
Pushing app with com.packagename.beta is not a very good idea. It creates unnecessary confusion and secondly you don't want to get unstable version in market to get bad ratings for your brand.
Why can't you just use the same package name for the release version? Doing so would also let your beta users get notified of an "application upgrade" (that is, the release of the final version).
If you do want to use different package names, one way is to make an ant script that you can run that changes all the imports, and the manifest.xml, to use the new name. So you have your code that you develop in, then you can just run your ant script whenever you're ready to upload to the Market; say "ant beta". This would rename all your packages from com.company.app to com.company.app_beta, and you could release it on the Market.
It is good practice not to upload a beta version to the Market. You should only upload production ready applications to the Market, as this is what the users expect.
If you want to beta test your application, it is better to use a private distribution channel.
If you use the same certificate, then an application with the same package name will be considered as an update to a previous one. Users will be able to update easily.
I have an app on the Android Market, and recently I was made aware that another publisher had uploaded it under a different name, and was giving it away for free.
I've never uploaded an apk that wasn't signed correctly in the official Google manner. What I'd like to know is, is code signing intended to prevent this kind of thing happening?
Can someone remove the license and add their own? Is this easy to do?
They'd have to do more than just take your APK and upload it under their account. The namespace which you create is unique to your application. So, at a minimum they've reverse engineered some of your code.
As long as somebody is able to pull your apk off of their device and re-package it, nothing can really stop them from uploading it to the market on their own. Report it to Google and you may want to look into using the licensing service.
There is nothing preventing someone from doing this. All code signing does is ensure your application has not been modified from the version you published. i.e. a modified version cannot be installed on top of an unmodified version. If your app has simply been republished without modification, it is no different from your own version. Only the distribution source has changed.
You will need to implement some kind of licensing to prevent piracy. Android code signing is not like iOS code signing (where apps on the store as actually signed by Apple, not just you).