I'm developing an app for specific tablets that should be updated via our custom server (just checking the json with the version and if that version is bigger then current one - we download new apk and install it.
And facing some strange signing behavior.
I sign an app with the release key and after install it on the device - everything works properly.
BUT
when tablets' manufacturer installs that signed apk as system app - then somehow signing certificate of the app changes and I cannot update it (because certificates are different according to the console).
I tried to log hashes of the certificates and what i've received:
simple installation mode:
current: 1925650013
next version: 1925650013
app installed as system
current: -1314815697
next version: 1925650013
looks like it became "debug" key, and I cannot understand why.
Your question already contains the answer: when tablets' manufacturer installs that signed apk as system app.
System apps (in the original meaning) are granted the system permission and for getting this permission the app has to be signed with the system manufacturer's key.
If your app does not require system permissions I assume this is a misunderstanding between you and the tablet manufacturer - in such a case you only want to have your app pre-installed on the system partition. Most users call such an app "system app" but actually it is just a regular app on the system partition.
Related
I'm writing a deployment manager for a development group that does tons of app deployments to different devices. The user connects an Android device, then gives the deployment manager an apk and tells it to deploy and run on a device. Right now I'm blindly uninstalling the app if it already exists on the device, then installing it from apk, then launching it.
For load time's sake, I'd like to skip the uninstall and install steps if the installed version of the app matches the contents of the user-provided apk. (The local copy of the deployment manager may have never seen this device before, so it can't rely on a local record of previous deployments to tell whether the installed version of the app matches.)
I can't trust the apk version number, since another programmer might have used the same version number to deploy a local build to this device already. Likewise, we're all using the same key to sign the apks, so the signature isn't helpful.
Is there something like a hash of an apk that I can get and compare it to the hash of an installed app?
I'm developing a non google play application, that will be delivered as an unsigned release assembly apk to device manufacturers that will sign it with their own private system key signature.
the system signature is essential, because the app uses permissions with protection level signatureOrSystem .
since the app not going to be installed as a system privileged app, it must be signed with the system's signature.
since I'm not going to have access to the final signed apk (or the signing key itself) I don't know how can I test the product I'm delivering (on a real device and not emulator) since it functionality depends on been signed with a system signature.
so far, only reference I found is a very old thread discussing about how to sign with system signature, but as I understand - it will not work anymore.
I would like to understand what is the recommended work-flow for how to test my app behavior as it signed with a system signature on a real device.
With larger companies, the company manufacturing the device will provide a version of the OS for the app developer to flash to a device that has a different set of recognized signing keys for you to test with. This is how they would expect app developers to be able to test their apps as if they were running on a full production device.
You might be able to get away with rooting a device and sideloading your APK in /system/app instead of the usual install location of /data/app. Once you have an app with a manifest with necessary system permissions installed there, reboot, and install normally (adb install to /data/app) and then you will be able to use the system permissions define in the app in /system/app.
I have my application in Google Play, I've downloaded and installed it on my phone.
I'm also currently working on update of this application, and whenever I want to install my .apk file on my phone it shows me, that I can't do it, because the app is already here.
Where in Eclipse can I set some settings, which will allow me to install my updated app without installing original one?
EDIT
I want to have two versions on my device at the same time.
One simple solution is to change the package name, since that's how the OS identifies the .apk. Indeed, the package is unique to the Market: how does an android phone(or market) recognize an app
You can not install and run the app from eclipse because the app installed on the device (the one from play store) is signed with a different key.
When you export your app you sign the apk with a specific key and when u run it from eclipse you sign it with a different key - the debugkey.
If you HAVE to install another version on the device without uninstalling the old one from the device (the one you got from the play store) you should:
1.export your app and sign it with the same key you signed the app you uploaded to the play store.
2.upload the exported apk to the device.
3.install it.
EDIT:
If you want to versions on the same device you should change the app package name.
I have a system app that the OEM installs with the system image, but is signed by me. If I upload an updated apk to the market, will the market app silently install this update automatically?
If my system app is instead signed with the platform signature instead of mine, this means any updates also have to be signed with the platform signature, correct? Can a platform-signed apk be updated from the market?
Lets first of all clarify the difference between all types of apps.
System apps are those that are located in the /system/app folder. These applications have a flag ApplicationInfo.FLAG_SYSTEM set. In an ordinary device the partition /system is mounted for read-only access. Thus, a system application cannot be updated because it is located in the read-only location. These applications can be updated only as a part of OTA update.
Ordinary apps are located on the /data partition which is read-write. Thus, these applications can be updated by a system.
Now lets talk about signatures. Some Android components are protected with permissions of signature type. This means that if you want to have access to a component protected with this type of permission, your application must be signed with the same certificate as a protected component. This is true not only for Android system, but also for Android applications, i.e. in your application you can have a component that is protected with a signature permission, thus, only applications that have the same signature will have access to this component.
The third thesis which we require to answer your question is that Android prohibits the installation of the packages that have the same package name but different signatures.
Thus,
I have a system app that the OEM installs with the system image, but
is signed by me. If I upload an updated apk to the market, will the
market app silently install this update automatically?
If my system app is instead signed with the platform signature instead
of mine, this means any updates also have to be signed with the
platform signature, correct? Can a platform-signed apk be updated from
the market?
The answer is no. Although the apps that are located in /system/app can be signed with a certificate that differs from the platform one, the update of these applications is possible only with system update.
To solve your problem you can change the packagename of your application, sign it with your (if the application does not require to have access to protected Android components) or platform (if the application should have access to protected components and if you have access to this signature) and put this application into market. Then, you'll receive the updates of your application through the market.
The system will not treat an apk in /data/app as an update unless the signatur matches the one in /system/ap
I am facing a strange problem. I created an apk of my application with unsigned key and tried to install it on my samsung galaxy pop, but i am not able to install it on my samsung galaxy pop. I enabled the option for installation of non market place app but i am getting unable to install message.
However when i am connecting phone with USB and clicking on run it is getting installed in the device.
is there anything wrong in my approach??
this is my sample apk file which i am trying to install http://www.mediafire.com/?aotxfupx7h7t568
Thanks
You must sign it
From Signing Your Applications
*The Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application's developer. The Android system uses the certificate as a means of identifying the author of an application and establishing trust relationships between applications. The certificate is not used to control which applications the user can install. The certificate does not need to be signed by a certificate authority: it is perfectly allowable, and typical, for Android applications to use self-signed certificates.
All applications must be signed. The system will not install an application that is not signed.
It couldn't be any clearer
If you are doing this from Eclipse and running the app on handset, I think android treats it differently, since you probably had USB debugging enabled and the handset is fooled into thinking it is debugging.
When you tried installing the app, because it is not signed the handset may be rejecting it.
You should be fine running and debugging like this, but when you create the final apk you will need it signed.