The following is the situation:
I have an app, that I have published to the Google Play store (version code: 100, version name 1.100).
I want to add feature allow people to update the app using an apk(release) from a website instead of from the Play Store.
BUT during testing I found the following problem:
Download current app from store(v - 100)
after that try to install(update) using the APK I compile
result - "App not installed."
But if I
install a hand created old APK (exactly the same as was uploaded to the Store)
try to install a handcreated APK update that was uploaded to the store
everything works fine
CAN you please describe there're some limits additional checkers for security or something wrong on my side ?
You are probably signed into Google Play App Signing.
Every Android app is signed with a key. When the phone tries to install an update, the update must be signed with the same key as the original app. This is for the security of the user. This stops a fake version of WhatsApp or Facebook (or your app) being created and users tricked into installing it. A bad developer can create an app with the same package name, but doesn't have access to the key, so this protects the users.
When you deliver through Google Play App Signing, Google removes the signature with your key (the "upload key") and signs it with a new Google Play key. This is a good thing. It protects you if you lose your upload key, without this there would be nothing Google could do to help you.
But this is why the upgrade doesn't happen. The app you hand create is signed with your upload key, so it won't update the app installed from Google Play.
This is a good thing. You don't want users who installed from one source (eg Google Play) to update from another source, like a download from a website. It would put them at serious risk of harmful fake apps.
However, if you really want to do this, you need to not use Google Play App Signing.
An alternative solution:
You can upload your signed apk on google play console then download the new signed apk and put it on your website or anywhere else.
Related
I've setup Firebase App Distribution on our projects with the provided "App Tester" android app which is amazing. Although I identified one major issue that I know a lot of people using this tool are experiencing and from what I saw, nobody actually knows the reason behind it.
The issue is : I download my app from the Play Store. Then I deploy a new version of my App on Firebase App Distribution to test it, go to App Tester, click on my app and click on install. I get the error "Installation failed" with no more details. To resolve the issue, I must uninstall the app from my phone and click install again to have a successful install.
The reason behind this is that Android does not allow a signed APK to be updated by another APK signed with a different key.
The APK that I download from the Play Store is signed by my CI but then it is signed again by the Play Store with their signing feature (can enable/disable it I know but I prefer to keep it enabled). The key used by Play Store to sign again my APK is private and nobody can access it.
But the APK that I upload on Firebase App Distribution with Fastlane is signed by my CI, not Play Store. So the key is different and that's why App Tester fails installing the app.
Can't I tell Firebase to do the same process of resigning my APK with the key used by the Play Store ? It is really annoying to uninstall my app whenever I previously installed it from the Play Store. More importantly, it's annoying for the testers at my company that don't understand why they get this error and don't know what to do...
Question: The application that you share with your testers using app distribution, does it have the same app Id (eg. com.xyz.abc) as the one on playstore?
There cannot be two signed applications with same app id on a single device.
One of the solutions will be to update the development app id to be different than production app id.
Eg.
Production app id - com.xyz.abc
Development app id - com.xyz.abc-dev
This will also enable both apps to co-exist on the same device.
i have published the apk in google play console,
but now i want to delete it and use the exact same code to publish it under the different name,
is it possible to do it? is the code will be lock under google code signing mechanism ?
If you want to keep the same app package and juste change the name of the app, update it in your code AND in your Google Play console, it should do the trick.
If you want to release the app using a different package name, you will need to sign your app with a new certificate, then upload it to Play Console but make sure you removed the first APK (it should appear as a artefact).
You can upload the same code twice, there is no blocking mechanism at the moment.
After generate signed APK (Release Version 1.0) ,i tried to test it in my phone but i get this message
Play Protect doesn't recognize this app's developer. Apps from unknown developers can sometimes be unsafe.
i don't know why i get it , i have released to many apps without problem, but in this one i get this message , i tried to create a new key-store also i tried to create a new project with different package name but i still facing the same issue.
How can i fix this?
I think it is just because you tried to install your app directly from APK, and the device or Play Protect can't verify your developer's ID. You can try to upload your apk to Google Play Store then install it from there to see if the problem still persists or not.
Google Play protect recognizes the developer from the signing key the app is signed with. You can learn more about App Signing here. Google Play protect gets this information from the key used to publish the App in Google Play.
Most new apps are enrolled in Google Play App Signing (Help article). You don't say whether yours is or not, but I suspect it is. That is a good thing - it lets Google Help you if you lose your signing key or it gets compromised.
To see what the experience will be for your users, the best thing to do is use an Internal Testing Track when you publish your app during development. The release process is almost instant. And it lets you get the exact same experience your users will get, as the app is downloaded from Google Play, signed with the same key, etc.
You can find more about Internal Test Tracks here.
I try to use signature level permission to share data between two apps in secure way. Unfortunately even if i use the same upload key for signing in both apps the Google Play changes their signature after uploading to the store. Because of that, my apps can't communicate.
How to sign in two apps with the same key/certificate if we use google play app signing?
I've made some research and I would like to explain here how Google Play App Signing works and how to use it with signature level permission.
First of all if we use Google Play App Signing we actually use two keys to sign in our app. First is Upload key and second is App signing key. Both are generated in the same way from Android Studio and we can use Upload Key from the one app as App singing key for the other app.
App signing key is stored in Google Play and after uploading it we don't have access to it. We have possibility to upload it when we enrol to Google Play App Signing for existing app or it can be generated by Google Play for new app and then we don't have access to it at all. We can say that App signing key is actually the real key which we use for distributing app for our users.
The whole mechanism looks like this:
Image source (Official app signing documentation)
As you can see on the image we use Upload Key to upload our app to Google Play and then Google Play removes our signature and is signing in our app with different key. It is useful because if we loose our upload key we will not loose possibility to upload our app (we can ask Google for using the new upload key). Moreover Google Play can now split our app into smaller parts and distribute it independently and every part will be signed in with our App Signing Key (Android App Bundles).
The disadvantage of this solution is that the app which we upload to the store has different signature that app which we download from Google Play.
It is very problematic especially if we use signature level permission in our app. Moreover it is also problem when we want to upload our app to different store than Google Play.
By using signature level permission we can share data between two apps in secure way (use case example) but there is one main condition - both apps have to have the same signature.
Even if we use the same Upload Key it doesn't mean our apps will have the same signatures because the keys which are used by Google Play can be different.
In practice it means that when you test release version of your app everything looks great but after uploading it to Google Play it doesn't work (this problem affects every feature which depends on app signature - facebook login, tamper-detection).
So, how to use the same key for two apps when we use Google Play App Signing?
When we create new app in Google Play and try to create first release to production then Google Play will ask:
And then under advanced options we can find:
After that both apps will have the same signature for our users.
Unfortunately if we will try to do it for app which is already published for our users (we can enrol to Google Play App Signing later) we don't have this option available and we can't use the same key.
What if we can't do it but we want to use secure data sharing between two apps?
We can verify signature which is not the same manually and try to prevent attack from the inside of our app which provides data. It is not as secure as first solution but more secure than doing nothing :)
As you found out, sharing the same upload key does not mean that the app signing key will be shared as well. However there is a way to do that when you first enroll in App Signing by Play: under the "Advanced" section in the enrollment card, there is an option to reuse the app signing key of another app already enrolled in App Signing.
You will need to create a new app however since there is today no way to change the app signing key.
This is documented on this page under "Opt in to app signing by Google Play" > "New apps".
Hope that helps,
I have this application which was made in 2015. I have updated that application and now I want to upload the updated version to play store. But unfortunately, it is giving me an error that the SHA1 key is different. I am attaching the image below. Play store console SS
Furthermore, the organization that I am working for, does not have any information about the key store password or Alias. There is literally no information about the previous version. Therefore, I am totally clueless how to update this application in google play store
Without SHA1 Key you can not generate another Signed APK to upload . You must need that key in order to generate new signed APK to Upload .
Google will not re-sign any of your existing or new APKs that are signed with the app signing key. This enables you to start testing your app bundle in the open, closed, or internal test tracks while you release your existing APK in production without Google Play making any changes to it.
This basically means that the you are trying to generate a signed apk using a different certificate than the one that was used to sign the original apk. If you cant get a hold of the hold certificate you will have to create a new one (what I think you have already done), generate a signed apk then publish it as a new app on the play store. You will have to un publish the old application though. Try using a slight change in the package name like a change from small letter to capital letter eg from "com.example.company" to "Com.example.company"
It is precisely this problem that caused Google Play to introduce Google Play App signing. If your app is opted in, then Google looks after your signing keys, and if you lose the information, then Google Play support can help you change the upload key.
However, if you are not opted in to Google Play app signing there is nothing you can do.
The best option is, as other people have said, unpublish the old app, create a new one, and this time opt in to Google Play App Signing so it doesn't happen again.