i developed an app for android and i'd like to publish it on google play.
I'd like to send the apk file to some other people, before publishing it.
My question is, what does protect my apk from someone else publishing it himself?
I could compile the app in debug, so google play doesnt except it.
I couldy compiled the app in release with a private key, but if the package name has never
been uploaded to google play, another developer account could just upload it as his app, cant he ?
What i do understand is, the private key protects an app from someone else using the same package name, if he doesnt have the key. But what protects an apk from being uploaded, if it hasnt been uploaded at that time ? Also, is it that complicated to reverse engineer an apk (signed or debug signed), and just change the package name. That way anyone could publish any app as a "new" one, in his account.
Maybe someone can clear things up a little.
Thx in advance
To prevent your testers to upload your apk to the app store, you yourself can privately publish it to the Play store in either Beta or Alpha stage. You can control who can see and download your app. Don't worry, you are not making it publicly available. See Use alpha/beta testing & staged rollouts. Now you've it available on playstore with that package name but with limited visibility only to the testers.
To prevent someone from reverse engineering your app, changing the package name and republishing on the store, as others have mentioned, you can obfuscate your code to make reverse engineering harder. There are many tools out there. Some are free and others are paid but ofcourse with more features like tampering resistance etc. See How to avoid reverse engineering of an APK file? question for more details.
Basically if your apk not signed you can't deploy it to googlePlay. More information here
You can obfuscate apk code with proguard which make hard to reverse engineering your apk.
I could compile the app in debug, so google play doesnt except it.
This is true, Play does not except unsigned apps. However, reverse engineering is a problem.
I couldy compiled the app in release with a private key, but if the
package name has never been uploaded to google play, another developer
account could just upload it as his app, cant he?
This is also true. He cant update it ever without your keystore, but he can upload it on Google play. I never sign apps when i send them for testing.
Luckily for us, there is a tool called Proguard that stops, or at least makes it very difficult for someone to do reverse engineering. Proguard does a lot of cool stuff but whats important is that it protects your code by renaming every class, method, field etc. So if you had a class MyActivity that had a method doSomething, i will now be(for example) class A method B etc.
Related
A teammate put the APK in the wrong account in Google Play, now, I need to fix without the original binary. So, I want to know if I can download the APK out of the wrong account, then signon with the correct account and upload?
FWIW - the APK is not yet published, it is still a draft as we need to put the remaining required collateral from Marketing team.
remove APK from wrong account draft.
create APK with correct account signature and upload there.
No, you cannot download the API from the dashboard. Probably would be some sort of a security violation if it were allowed.
This sounds like a re-marketing ploy (app rustling). It takes an app from one account and replaces the branding (names, images, etc) with that of another account.
If your devs do not archive their published works, then they are silly persons. What do they use for a code repository? A sock?
Google only stores the latest version of an app apk. Previous app versions are tracked, but the previous apks are not archived (as far as puny humans are concerned).
Only the latest published apk can be downloaded, and only as a customer.
There is no Wayback Machine for android apps, afaik.
Turns out I don't have Proguard activated on a live app that I have published to the Google Play store. It's not the end of the world since I don't have anything sensitive in the app (and I've found that I can decompile apps pretty well even when Proguard is applied).
My question is: If I apply Proguard and then upload a new .apk to Google Play, when my users update are they going to run into a problem?
One reason I ask is because I learned the hard way that changing the LAUNCHER activity in an app can make user-created shortcuts void in an updated version, so I'm trying to prevent causing any more inconvenience to my users.
If I apply Proguard and then upload a new .apk to Google Play, when my users update are they going to run into a problem?
No. You users are getting a compiled version of your application, not the raw sources.
As long as the package name remains the same and you sign the package using the same keystore you won't have any problems.
I wrote an android app for someone, but they want the source code because supposedly they need it to send the app to the android market.
Are they making that up or is that legit? Is there anyway to give them the app so that they can claim credit for it without giving them the source code?
I suppose worst case I could just get their publishing creds and publish it from my computer as though I were them..
Thoughts?
No, you do not need the source code to publish your app on the Android Market (now called Google Play Store). You just need a signed APK file.
No, they do not need the source code, only the unsigned APK. In order for it to be published they will need to sign it using their own fingerprint, but that should allow them to freely publish without having access to the source code. Alternatively, you could sign the APK yourself and give them that, but this might not be preferable for them.
Yes they need a version. However you could just send them the signed apk and let them release it from google.
Amazon's documentation is surprising lacking in information about the submitting binary process. From what I can tell, you submit an unsigned binary and they wrap it in their own code and produce a signed apk?
This leaves several questions:
Does the Amazon App Store perform a zipalign for you?
If you have your app in the Android Market (Google's) already, is it recommended to use the same package name or a different one? Does it make any difference?
I also saw elsewhere, that they offer the option to download the apk they prepare and sign it with your own key. Is it recommended to take this and then sign it with the same key you are using in the Android Market? Does it make any difference?
Are there any other considerations or pitfalls that one should know before diving into this process?
Yes. Amazon wraps your binary with code specific to their appstore that allows them to collect analytics data and enforce DRM. The app will be repackaged after that.
You should use the same package name. The Amazon distribution agreement currently has a number of provisos; e.g., that your app is not priced lower on another app store. They also do occasional checks to see whether the version of your app on the market is up to date. These checks are primarily done using the package name; changing the package name of your app could easily be viewed by them as a means to evade the terms of the agreement.
No. There may be good reasons why one would want to do this, but none that I can think of. By default, Amazon signs your apk with a signature that is specific to your Amazon developer account.
Other:
Read this. In particular, ensure that the app links correctly to the Amazon app store and not the Android market, or others. I don't have inside data, but I'd wager a fair amount that the vast majority of submissions that Amazon turn down fall afoul of that requirement.
Edit: Point 2 is no longer correct; see comment below.
Here is the reply I received from the amazon mobile app distribution team for a question concerning whether to submit signed or unsigned apk's:
"You can submit signed, or unsigned binaries to the store - we will then apply our signature to your app in either case. If you need to sign your app with a known signature (if you are using Facebook authorization for example) you can choose to upload your app using our self signing process (you will need to ask us for this to be enabled for you)."
The most straight forward way to submit an app is to export your signed apk from Eclipse (all zip aligned are ready to go), then upload via the Distribution Portal using our DRM and signature.
For the latest update of my app I just took the same signed apk I previously released to google play, and it worked well.
I have only published two little applications that sell almost nothing, but both got aproved and I followed exactly the same procedure I follow for publishing on the Android Market: I just exported the signed .apk from eclipse and also used the same package name. So far I have no problems, so I guess it's ok.
You should zipalign during every build, as a matter of practice.
I use the same exact build process for Amazon as I do before publishing to Google. Only difference is an Interface's variable to determine the market link (at build time, if/else is compiled out).
I have an app on the Android Market, and recently I was made aware that another publisher had uploaded it under a different name, and was giving it away for free.
I've never uploaded an apk that wasn't signed correctly in the official Google manner. What I'd like to know is, is code signing intended to prevent this kind of thing happening?
Can someone remove the license and add their own? Is this easy to do?
They'd have to do more than just take your APK and upload it under their account. The namespace which you create is unique to your application. So, at a minimum they've reverse engineered some of your code.
As long as somebody is able to pull your apk off of their device and re-package it, nothing can really stop them from uploading it to the market on their own. Report it to Google and you may want to look into using the licensing service.
There is nothing preventing someone from doing this. All code signing does is ensure your application has not been modified from the version you published. i.e. a modified version cannot be installed on top of an unmodified version. If your app has simply been republished without modification, it is no different from your own version. Only the distribution source has changed.
You will need to implement some kind of licensing to prevent piracy. Android code signing is not like iOS code signing (where apps on the store as actually signed by Apple, not just you).