There is such problem:
1) I have to use my our distribution service to give new builds of app to testers (no way to use HockeyApp or etc.)
2) I want to give unique APK file to each tester. But it is not possible for me to compile ~3000 APK files for every new build of application.
So I want to add some kind of ID to APK file without recompiling it.
(I need it to identify, if some user will share this APK file somewhere in web without my permission)
Example:
User downloads .apk file from my site => uploads it to some forum/website => I see, that somebody has shared my app in web => I download apk from that forum/website => I identify, who shared it (via unique ID of apk)
That is not going to be easy because all files of your APK are covered by the signature, so anything you add will have to be somewhere else.
You could try modifying the zip comments of the APK (if you can find a library that allows you to do that -- maybe "apkzlib"), I'm not sure if this part is covered by the signature.
Alternatively, you could try adding a file to the APK that is not referenced in the zip central directory (a "ghost file" in a way, it wouldn't exist for most zip tools), maybe the signature doesn't cover those either, but I haven't verified. This solution also requires good knowledge of the zip format to implement it.
Note as well that if this can be done without touching the signature, it can also be removed without touching the signature... so if one of your tester finds out about this, they could remove it. But I guess it wouldn't be trivial to do, so that might be sufficient anyway.
There are two constraints:
Unsigned apks can not be installed.
an apk signature signes every bit of the apk, therefore the wole apk must be signed.
Luckily signing an apk takes only some seconds and should be feasible for 3k apks.
So you can write a script that writes the id to a file within the akp (which is basically a .zip file) and sign it afterwards. See Can I re-sign an .apk with a different certificate than what it came with?
See https://developer.android.com/studio/publish/app-signing#sign-manually on how to sign from command line.
Related
I am writing an application where inside application wanted to identify from which URL-Source apk is download. Is there any way to get it.
Basically I wanted to know how many times apk is install from given URL.
Any suggestion here!!
I am writing an application where I need to find download URL of apk. Is there any way to get it.
No, because there is no download URL. APKs are installed from local files. How the APK got to be a local file (downloaded from a URL, received in an email attachment, copied over to external storage via USB cable, etc.) is not something that you can determine.
Basically I wanted to know how many times apk is install from given URL.
You are certainly welcome to use product flavors in Android Studio/Gradle for Android to create custom APKs based on distribution channel, where those APKs have a custom value baked into them (e.g., buildConfigField mapping to a BuildConfig field).
I have apk file that will be distributed between a lot of users. The file is same for all but I need to specify ID for each one that will be used in code (ideally it should be done automatically by php script). For now I tried to put ID to text file in Assets and then open apk as archive in Windows, update value in text file then save (update archive). As result my application cannot be installed anymore.
Why it doesn't work? Or may be there another way to set ID for each apk without recreating package in development environment?
There is no way to do that, you must compile and sign your app on every change.
Android do a hash for your apk, if you change a bit the content, this hash do not coincide and will not be a valid apk (not able to install).
You can do somewhat script to automatize the change of a file and compile/sign after your apk.
is it possible to create .apk file by copying an already existing .apk file and modifying its assets folder? I have some information in a file in assets folder containing server ip and port to which the user is to connect. Users are from different regions and have to connect through different servers. can anyone tell me how to implement this?
I've added a comment with my recommended solution to this problem. However, here's an answer to your question:
Of course you can unpack the APK, swap out the assets and then create a new APK from that. However, you will need to sign the APK again with the correct key.
If you are building the apps yourself, you can just build multiple APKs, each containing a different asset file. However, you would have to distribute these APKs by hand (ie: they can't be uploaded to Google Play) because they would each have the same package name and you cannot have multiple apps in the app store with the same package name.
I had a concern about the security of my android app.
I developed an app uploaded it on market and got more than 1 lac downloads. I also uploaded my app on Mobango(android store). On monago a persom can download my app's .apk file.
So if any person acn download .apk file of my app, he can upload it on other android store.
I have tried this I downloaded my app's apk from mobango and successfully uploaded on other android store.
My concern was anyone can steal my app and reupload with his name.
thanks
Yes we can reuse the .apk file and extract the source from it .......
This is a worry for all app developers on Google Play store. I've seen Google Chrome plugins which allows to download any apk from the store if you're brave enough to put your google login details and the device ID of your phone.
What you can do is obfuscate the content of the APK using something like ProGuard, which makes it hard to decompile.
Documents say:
The ProGuard tool shrinks, optimizes, and obfuscates your code by
removing unused code and renaming classes, fields, and methods with
semantically obscure names. The result is a smaller sized .apk file
that is more difficult to reverse engineer.
But you can see that it says that is more difficult to reverse engineer and so in theory it is not impossible.
Note that when you use ProGuard tool,you have to create a key.So if any body change your code and recreate another .apk from it this .apk can not publish as update or another version of your origin .apk .
I'm modifing some apks of my Honeycomb Tablet. I added some functions to SystemUI.apk which require new permission in the AndroidManifest.xml file. The problem is that I need to re-sign the package with the system certificates.
I tried to copy the META-INF from the previous apk, but the logcat is still saying "Invalid certificates".
So I was wondering how can I do this..thanks in advance for any help.
PS: I already tried to sign the apk with my keystore, but still the same error.
Unless you have access to the private key originally used to sign the APK, this is not possible. Simply copying the META-INF does not work, as the signatures contained in those files are no longer correct.
Alternatively, you would have to rebuild the entire Android system, signing everything with your own private key — however this is currently not possible as the source code for Honeycomb is not available.
If You have a root access, then try to back up (for security) old apk and delete it. Then try to copy new one into the same place... I did something like this with Google Maps - custom ROM, couldn't update from Market, I had to do this manually.