Can an APK be signed with another APK's signature? - android

I own an Android app but unfortuantely a SSD disk issue happened and I lost all my app's project files.
I have re-coded my app but updates aren't getting pushed to my app users anymore through my app's in-app updater... And if I send them the APK file they get "App not installed".
And it turned out at the end that the issue is that the current users have my app installed with a different signature than the new re-coded app's signature.
So my question: Can I sign the new APK with the old APK's signature? Or is it possible to extract the keystore/signature of the old APK and put it into the new APK?
Note: I know that my app users can uninstall the current app and install the new one, but the app data for each user shouldn't be removed.

If what you want to do was possible, anyone could decompile, modify and redistribute any app therefore it isn't possible. The OS will treat APKs with different signatures like different apps. The only way I know to use a new key for upgrades is if you used App Signing by Google Play.
Otherwise, you will have to ask your users to migrate to the new app manually.

If you want to use different app signature , you can. For that you need to write mail to google and need to send them details they require.
You can find answer here
I lost my .keystore file?

Related

Re-use the app id in Play Store after losing keystore file

I have a little issue where I created an Android release build from my Ionic project. I've signed the app in the platform/android/build/outputs/apk folder, so my keystore file also was there. Then I noticed a bug, rebuild the app but I figured the folder gets cleared at each build. As a result I don't have my keystore file anymore and I'm unable to add an update to the Play Store. I've unpublished the previous version but now I'm unable to use my app id as it is used by the unpublished version.
So right now I see three options:
Is there a way to change the app id from the unpublished app? (all related info I've read says no)
Is there an alternative way to use the same app id? (I would not like to have differente app ids for iOS and Android)
As a final option I could use com.mydomain.app as the iOS id and use e.g. com.mydomain.android (and I've moved my signing process to a different folder outside the Ionic project) but is there a way to keep this release-friendly (meaning, is there a way to specify platform specific app ids in Ionic config.xml or other file)
How do you guys handle stuff like this? I suppose I'm not the first random guy this has happened to.
Edit: I found that I'm not the first random guy this has happened to. Which makes option 3 easier to accept if option 1 will never work.
No this is not possible, mentioned clearly in the google doc.
If you lose your keystore, you'll need to publish a new app with a new package name.
If you have lost you app signing key, you can not upgrade your app, that is the reason google came up with a new feature "app signing by Google Play", where Google keeps your signing key, but when you upload your app you need to sign your app with a key(Upload Key), then Google verifies your signature, removes the signature, and then Google re-signs the APKs with the original app signing key you provided and delivers your app to the user. Benefit of this feature is that If you lose your "Upload Key", you can request for reset it from google, and you will be provided with a new "upload key", which you will use for signing app, and Google will re-sign you app using the main key It is keeping since starting.
So I will suggest you to enrol for this feature this time, to avoid an issue in future in case you lose your singing key again.
As others have mentioned, this is not possible outside the scope of App Signing by Play.
However, if your app has not been installed by anyone from the Play Store (except yourself), you can request your app to be deleted, which would allow you to recreate a new app with the same package name.
App Id in a sense is just like a domain name, you can not have more than one as long as you are to upload the application on Google Play.
The only option for you is to create a new build with a different App id.

Upload error: Do not have last keystore for Android app

An app is built by another developer they don't have a key file. I know there is no way to get back key store. This is the error message shown to me when I updating old APK to new APK:
Is it possible to unpublish old app and republish the new app with the same package name, version code, and version name?
I want to known that the users will get an update for the app or not. Is there any other way to solve this issue?
If you do not have the keystore that was originally used to upload the application, you cannot publish an update to that application.
Your only option if you do not have the correct keystore is to publish the application as a completely new app in the Play Store with a new app id. Your users will need to download the new application independently of the old app.

Google Play Upload Failed

I was recently hired to rewrite an existing Android project. The old project was published to Google Play, but I do not have access to the source files or the certificate that was used to sign it.
I finished my project, but I'm unable to publish it as a replacement for the old version because I signed mine with a different certificate. Google Play is also complaining because I used a different package name than the original project.
Is there any way around these roadblocks?
It is a new application from GooglePlay perspective. So you can only publish it as new application
As you changed its package name....the only option you have to publish it as a new app on google play
It's a different app if it has a different package name; this is fundamental to Android. Package names are how you refer to a specific app in code and how you search for a specific app, among other things. If you want it to be the same app, keep the same package name!
If it is signed with a different certificate, it can't be installed as an upgrade. This is presumably so you can't install an app with the same package name as another app and read its private data — you have to delete the app (and its data) first (the benefit is limited, of course: you can uninstall the real app and install a lookalike malicious app and steal the user's data that way). This is a bit of a limitation in Android (it doesn't handle certificate expiry, for one) and might be fixed at some point, but I don't expect it to happen any time soon.
I've been in the same situation before — the original developer lost the signing key for one app but not the other. We changed the package name and released it as a new app.

Android Market - different signing certificate

I would like to update my app using the same package name but different signing certificate (consultants made first version and I don't have their certificate info). If I unpublish and then upload the new apk, will existing users be able to do an easy update or will users have to uninstall and download a new app?
This is not possible. The keystore contains a certificate which is used to digitally sign your apk. Each certificate is completely unique, and cannot be regenerated or recovered from older apks.
Google relies on this because it is extremely secure, and allows them to really reduce the chances that someone can hack your developer account details and upload a malicious apk as an update to your existing app.
For now, you'll have to reupload the app under a different package name with a different key, and somehow inform users that you have changed the app details.
When you unpublish the app, new users will no longer be able to see it, but older users will still have it installed and will be able to see it in Google Play.
They will have to download a new app.
Only if your have the original certificate it is possible to let user's update the existing app.
See: Publishing Updates on Android Market
Before uploading the updated application, be sure that you have
incremented the android:versionCode and android:versionName attributes
in the element of the manifest file. Also, the package name must be
the same and the .apk must be signed with the same private key. If the
package name and signing certificate do not match those of the
existing version, Market will consider it a new application and will
not offer it to users as an update.
also see this post:
Fraid not. The play store requires that an updated app to have the same package name and the same certificate.
If you need to create a new certificate you would have to publish it as a new with a different package name and upload this version to the market.
You would then have to tell existing users that in order to get the update they should download the new version from the play store and remove the existing app from the device.

Different signatures of apk

I made an application on android and published it on the play store. I signed my apk with a new private key.
Last week, i wanted to update my application with my new features. So I exported my new apk with the same private key previously created. Then I published and playstore accepted it.
But on the play store in my phone, the application cannot be updated. I have to uninstall it before and if I do that, I will lost my data.
So my question is, how can I make an updatable apk on the google play store
You can't change the signature of your apk uploaded to the play store, you i'll need to use the same signature as before. If you do change the signature of your app and try to upload it you will get an error telling that the same application was found but with a different signature.
If you manually send your users an app (mail for example) with a changed signature they will have to uninstall the current app before they can install the same app with the new signature. Users will lose there application data doing this! This is a safety mechanism, so hackers/bad people can't change your apk and get the user data in that way.
The Android system uses the signature to check if the application is really an update for the existing one on your phone. Because only you now your signature password and stuff, hackers can't use it in there fake app updates for example.
Summary: Always use the same signature!
Check: http://developer.android.com/tools/publishing/app-signing.html
Edit: As said by #HandlerExploit
Probably you have your "non market version/debug version" of the app still installed on your phone, a debug version of the app is always signed with a default debug signature. This signature is different from the one on the market.
Most likely you installed your application with your computers default debug signature during development, you will need to uninstall it before installing your new market version.
Not incrementing your version number in the manifest will also have this effect. Make sure the android:versionCode="1" is different in each version. Also including the exact error message, if it exists, may help.

Categories

Resources