After generate signed APK (Release Version 1.0) ,i tried to test it in my phone but i get this message
Play Protect doesn't recognize this app's developer. Apps from unknown developers can sometimes be unsafe.
i don't know why i get it , i have released to many apps without problem, but in this one i get this message , i tried to create a new key-store also i tried to create a new project with different package name but i still facing the same issue.
How can i fix this?
I think it is just because you tried to install your app directly from APK, and the device or Play Protect can't verify your developer's ID. You can try to upload your apk to Google Play Store then install it from there to see if the problem still persists or not.
Google Play protect recognizes the developer from the signing key the app is signed with. You can learn more about App Signing here. Google Play protect gets this information from the key used to publish the App in Google Play.
Most new apps are enrolled in Google Play App Signing (Help article). You don't say whether yours is or not, but I suspect it is. That is a good thing - it lets Google Help you if you lose your signing key or it gets compromised.
To see what the experience will be for your users, the best thing to do is use an Internal Testing Track when you publish your app during development. The release process is almost instant. And it lets you get the exact same experience your users will get, as the app is downloaded from Google Play, signed with the same key, etc.
You can find more about Internal Test Tracks here.
Related
I've setup Firebase App Distribution on our projects with the provided "App Tester" android app which is amazing. Although I identified one major issue that I know a lot of people using this tool are experiencing and from what I saw, nobody actually knows the reason behind it.
The issue is : I download my app from the Play Store. Then I deploy a new version of my App on Firebase App Distribution to test it, go to App Tester, click on my app and click on install. I get the error "Installation failed" with no more details. To resolve the issue, I must uninstall the app from my phone and click install again to have a successful install.
The reason behind this is that Android does not allow a signed APK to be updated by another APK signed with a different key.
The APK that I download from the Play Store is signed by my CI but then it is signed again by the Play Store with their signing feature (can enable/disable it I know but I prefer to keep it enabled). The key used by Play Store to sign again my APK is private and nobody can access it.
But the APK that I upload on Firebase App Distribution with Fastlane is signed by my CI, not Play Store. So the key is different and that's why App Tester fails installing the app.
Can't I tell Firebase to do the same process of resigning my APK with the key used by the Play Store ? It is really annoying to uninstall my app whenever I previously installed it from the Play Store. More importantly, it's annoying for the testers at my company that don't understand why they get this error and don't know what to do...
Question: The application that you share with your testers using app distribution, does it have the same app Id (eg. com.xyz.abc) as the one on playstore?
There cannot be two signed applications with same app id on a single device.
One of the solutions will be to update the development app id to be different than production app id.
Eg.
Production app id - com.xyz.abc
Development app id - com.xyz.abc-dev
This will also enable both apps to co-exist on the same device.
The following is the situation:
I have an app, that I have published to the Google Play store (version code: 100, version name 1.100).
I want to add feature allow people to update the app using an apk(release) from a website instead of from the Play Store.
BUT during testing I found the following problem:
Download current app from store(v - 100)
after that try to install(update) using the APK I compile
result - "App not installed."
But if I
install a hand created old APK (exactly the same as was uploaded to the Store)
try to install a handcreated APK update that was uploaded to the store
everything works fine
CAN you please describe there're some limits additional checkers for security or something wrong on my side ?
You are probably signed into Google Play App Signing.
Every Android app is signed with a key. When the phone tries to install an update, the update must be signed with the same key as the original app. This is for the security of the user. This stops a fake version of WhatsApp or Facebook (or your app) being created and users tricked into installing it. A bad developer can create an app with the same package name, but doesn't have access to the key, so this protects the users.
When you deliver through Google Play App Signing, Google removes the signature with your key (the "upload key") and signs it with a new Google Play key. This is a good thing. It protects you if you lose your upload key, without this there would be nothing Google could do to help you.
But this is why the upgrade doesn't happen. The app you hand create is signed with your upload key, so it won't update the app installed from Google Play.
This is a good thing. You don't want users who installed from one source (eg Google Play) to update from another source, like a download from a website. It would put them at serious risk of harmful fake apps.
However, if you really want to do this, you need to not use Google Play App Signing.
An alternative solution:
You can upload your signed apk on google play console then download the new signed apk and put it on your website or anywhere else.
Our project has multiple android developers that all have access to the Google Play Console, in order to be able to publish APK updates from their respective computers.
As mentioned in the docs and this post here :
The apk must be signed with the same certificates as the previous version
Question:
Is there a way where first developer can share his certificate with second developer, such that second developer is able to publish APK updates to Google Play console?
So far I didn't see any mention of this in the docs or discussion
The initial release of the app was published by the first developer. Now, the second developer would like to publish some updates as well. However this seems to be blocked, such that only APKs signed from first developer's computer will be permitted for Update upload.
Update
For a more established team, I can see the cloud solution from the accepted answer working - but in our case, sharing the certificate file proved to be the most practical solution. It was clean, fast, and solved the requirement without otherwise adding any additional layers to the stack.
One way to deal with this is to use the Google Play App Signing function of the Developer Console. Your signing key can be stored with Google and secondary upload keys are used to generate the build.
When you upload the build, Google will re-sign it with the actual signing key. If another developer comes along, the upload key can be revoked and a new one generated but the actual signing key remains secure in Google-land.
See:
https://developer.android.com/studio/publish/app-signing.html
and:
https://support.google.com/googleplay/android-developer/answer/7384423
I have two different apps, and I want them to be able to communicate together.
For security reasons, I would like to restrict the communication with protectionLevel:signature, so I don't have to worry about other apps possibly messing with my apps.
The problem is, I use Google Play Signing for the first app. I noticed, that when I want to create a new App in the play console, and opt-in for Google Play App Signing, that another certificate is generated. So, I suspect that the permission system is not working, as the release-apk that users download will not be signed by the same certificate, and that the "protectionLevel=signature" check will fail.
Is this true, or will it still work somehow when the Upload-Certificate matches?
Is there any way to use the same certifiacte for different apps using Google Play App Signing?
I solved it;
There is a button for reusing the Signing Key from an old app in the "App Signature" Tab in the play console.
Note that after you generated a distribution key once, it cannot be changed, even if you never uploaded an APK yet, so you have to press the button to reuse the key immediately before generating another distribution key.
I had to delete my (unpublished) app and created a new one. If you already published you app (even if just for a closed beta test), your only chance to get the same distribution key is to create a new app with a different app id.
Can we identify that who downloaded our application from playstore? I am checking into my developer console there is no option provided i think. Also can we check that if a user has downloaded our app multiple times from play store through our developer console ?
I've checked on my own dev console and I don't believe there is one built in.
There is no real way unless you ask the user to register their information for the app. Also, I believe it would be a privacy issue and a hassle with Google if they kept track all the downloading information for each of its users.