We have developed small App for one company and we want it to be used in this company only. We're self hosting APK file and there is one problem. When people downloads our app Android is showing warning about "installing from untrusted source" - and that confuse a lot of workers.
Is there any way to validate or sign our APK with Google key but without putting it in PlayStore?
In addition I want to say, we have account on Google Play Console (we paid registration fee) but we dont want to use Google Enterprise solutions, which allows to create private app channels.
Related
Google Play has something called Private Apps: https://support.google.com/googleplay/work/answer/6145139?hl=en
However, to my understanding this means that only members of my organization can install the app. It doesn't say what "organization" mean but I assume it's members of a Google Workspace or a specific email domain.
I want to achieve something similar to Apples "Unlisted apps": https://developer.apple.com/support/unlisted-app-distribution
This means the app is present on the Appstore, but it's not listed or searchable. Only if you have the link to the app you can download it, and the user will receive automatic updates.
Is there something similar on Google Play? I want to distribute and update the app via Google Play, but only to users that I share the url with.
You can publish the app on the Google Play store via the Play Console and while selecting where to launch (publish) the app, add the app/app bundle only to the closed testing option. There you can add specific email ids and only those will be able to see the app, get updates, etc. no one else.
we use internal testing on playstore to test the app internally before we move to closed and open beta. More details can be access in the below link
https://support.google.com/googleplay/android-developer/answer/9845334?hl=en
I try to use signature level permission to share data between two apps in secure way. Unfortunately even if i use the same upload key for signing in both apps the Google Play changes their signature after uploading to the store. Because of that, my apps can't communicate.
How to sign in two apps with the same key/certificate if we use google play app signing?
I've made some research and I would like to explain here how Google Play App Signing works and how to use it with signature level permission.
First of all if we use Google Play App Signing we actually use two keys to sign in our app. First is Upload key and second is App signing key. Both are generated in the same way from Android Studio and we can use Upload Key from the one app as App singing key for the other app.
App signing key is stored in Google Play and after uploading it we don't have access to it. We have possibility to upload it when we enrol to Google Play App Signing for existing app or it can be generated by Google Play for new app and then we don't have access to it at all. We can say that App signing key is actually the real key which we use for distributing app for our users.
The whole mechanism looks like this:
Image source (Official app signing documentation)
As you can see on the image we use Upload Key to upload our app to Google Play and then Google Play removes our signature and is signing in our app with different key. It is useful because if we loose our upload key we will not loose possibility to upload our app (we can ask Google for using the new upload key). Moreover Google Play can now split our app into smaller parts and distribute it independently and every part will be signed in with our App Signing Key (Android App Bundles).
The disadvantage of this solution is that the app which we upload to the store has different signature that app which we download from Google Play.
It is very problematic especially if we use signature level permission in our app. Moreover it is also problem when we want to upload our app to different store than Google Play.
By using signature level permission we can share data between two apps in secure way (use case example) but there is one main condition - both apps have to have the same signature.
Even if we use the same Upload Key it doesn't mean our apps will have the same signatures because the keys which are used by Google Play can be different.
In practice it means that when you test release version of your app everything looks great but after uploading it to Google Play it doesn't work (this problem affects every feature which depends on app signature - facebook login, tamper-detection).
So, how to use the same key for two apps when we use Google Play App Signing?
When we create new app in Google Play and try to create first release to production then Google Play will ask:
And then under advanced options we can find:
After that both apps will have the same signature for our users.
Unfortunately if we will try to do it for app which is already published for our users (we can enrol to Google Play App Signing later) we don't have this option available and we can't use the same key.
What if we can't do it but we want to use secure data sharing between two apps?
We can verify signature which is not the same manually and try to prevent attack from the inside of our app which provides data. It is not as secure as first solution but more secure than doing nothing :)
As you found out, sharing the same upload key does not mean that the app signing key will be shared as well. However there is a way to do that when you first enroll in App Signing by Play: under the "Advanced" section in the enrollment card, there is an option to reuse the app signing key of another app already enrolled in App Signing.
You will need to create a new app however since there is today no way to change the app signing key.
This is documented on this page under "Opt in to app signing by Google Play" > "New apps".
Hope that helps,
The following is the situation:
I have an app, that I have published to the Google Play store (version code: 100, version name 1.100).
I want to add feature allow people to update the app using an apk(release) from a website instead of from the Play Store.
BUT during testing I found the following problem:
Download current app from store(v - 100)
after that try to install(update) using the APK I compile
result - "App not installed."
But if I
install a hand created old APK (exactly the same as was uploaded to the Store)
try to install a handcreated APK update that was uploaded to the store
everything works fine
CAN you please describe there're some limits additional checkers for security or something wrong on my side ?
You are probably signed into Google Play App Signing.
Every Android app is signed with a key. When the phone tries to install an update, the update must be signed with the same key as the original app. This is for the security of the user. This stops a fake version of WhatsApp or Facebook (or your app) being created and users tricked into installing it. A bad developer can create an app with the same package name, but doesn't have access to the key, so this protects the users.
When you deliver through Google Play App Signing, Google removes the signature with your key (the "upload key") and signs it with a new Google Play key. This is a good thing. It protects you if you lose your upload key, without this there would be nothing Google could do to help you.
But this is why the upgrade doesn't happen. The app you hand create is signed with your upload key, so it won't update the app installed from Google Play.
This is a good thing. You don't want users who installed from one source (eg Google Play) to update from another source, like a download from a website. It would put them at serious risk of harmful fake apps.
However, if you really want to do this, you need to not use Google Play App Signing.
An alternative solution:
You can upload your signed apk on google play console then download the new signed apk and put it on your website or anywhere else.
I am confused about android application testing. when I publish an alpha version, do all the people who are registered as testers in the whole world have access to the app or do I get a link and send it to whoever I know to test it. if its the latter how can I get testers for my app.
Alpha and beta tests are working in the same way. You upload your app to google play, fill out all the fields in your store entry and then you need to create a Google Plus community. Copy and paste the URL of the community into the Google Play developer console as testers, you will see another URL2, this URL2 has to be opened by your testers. Now you need to find people joining your group in Google Plus and tell them the procedure for tester:
Open URL2
and confirm to participate the testing
The installation has to be started with a browser, the URL of your app is the same as for apps in production.
If you ship a new alpha version, your testers get the new version automaticly if they have configured that.
From here on everything is as it is for apps in production.
I agree it is a kind of an odd procedure and I hope I explained it clear. However, what you can always do, just upload your apk to a web server and provide your testers with the link for the app on your webserver, your testers only need to accept installations from third party. You can't get ratings for such an app.
Later what you said only will work out in alpha testing, you should have separate testing team in your organization so that you can share the URL with them to test the app or you can add them using their google play account so that the app will be visible only to them in their Google play app, not to all of the real time users.
Until you upload the apk in production mode, your app will not be visible to other users.
I'm currently developing an Android application using InApp Billing functionality. In order to perform testing with real end-to-end payment scenarios I need to upload the application draft to Google Play - as described here.
However, my customer wants to publish the application later using its own Google Play account.
Is it possible, that I upload the draft first, remove it after testing, and then my customer releases the application (with the same package name) with a totally different Google Play account? Would Google Play allow for that?
I don't want to mess with package ID, it is annoying (but perhaps safest?).
Answering (sort of) my own question:
it seems perfectly fine to remove the application draft from one profile and re-upload to another one
for the time being I only checked re-uploading APK signed with the same private key
funny enough, all configured in-app items that I configured for this application on my own profile reappeared after uploading to the second profile!
Nopes, when the applications are export, the are exported and signed with certain certificates and private key, so that if anyone have that private key, the will be able to upload the app with the same identifier,
i.e.
com.yourcompanyname.appname
This is unique identifier, identifies your app to update it further.