I compiled a project (that contains a sqlite db) using a pc that I have not access to that no more. People used that and inserted records to the db. I don't have any access to their tablets. I made a mistake and i have sent them the apk was in bin directory. I changed the program, I want to tell them to update their apps but when they try to replace app, android doesn't let them. So i have to sign my apk as same as the signature of the apk i made on that computer.
What should i do ? Thanks for your help.
Expanding on my comments:
There's not much you can really do if you don't have access to the old signature. It sounds like you're talking about the debug signature. As you found out, this varies from machine to machine, and if you don't have access to the old machine, it's just gone.
This is normally a good thing for security reasons. If it was possible to recover your key, anyone could do it. Then they could maliciously modify the app and upload it as a replacement.
As you've also found out, Android won't let you install an update that has a different signature than the currently installed version. If your users completely uninstall the app, they will then be able to install the new one. That's definitely inconvenient, and a customer service headache, but there's not any other way to do it.
Note that the users will lose any databases, etc, that they had in the app. It will act as a fresh install, since that's what it is.
Theoretically, rooted users could back up their old databases/preferences with any number of utilities and restore them later. In practice, even most users that can do this won't bother with it.
Related
My question may look strange but I'll try to explain somehow. Let's imagine there is an Android device with software that adjusts some settings based on application package name - it's a real-life scenario. This software may provide better performance for listed applications and there is no way to add my application to that list. What I'm capable of doing is to release my application under one of listed package names (not to Google Play, just provide APK on GitHub so that anyone who wants to use it will install it manually). And there comes my question:
is it legal to use some company's existing package name for my own application? Is it protected legally? My app is free & open source application.
Just to be clear: I'm not doing this to impersonate "real" application with bad intentions. I just want my application to use full range of device capabilities... And download page will state it clearly & visibly :)
In other words: can I release app with package name e.g. com.google.android.talk? I know that it won't override existing app if someone has it installed etc. (it's not my goal to override some application). I'm just talking about such possibility and legality.
This is totally legal, as you can use whatever String you want for your app/package name.
However, just doing this will most probably be not enough to "impersonate" the other app, as this would be a serious security flaw. First of all, there can never be two apps with the same package name installed.
If the app you speak about is created by a "serious" developer, say Google or one of the OEMs, it will check both package and signature of the app and will therefore know your app is not the same as the replaced app.
Also, when the user tries to install your app, a package conflict will happen, followed by the signature conflict. There are two scenarios here:
If the app you are replacing is a standard app, the user will be able to install your app from adb, but only after thay accept to completely wipe the data of the original app. You have probably seen this dialog while developing stuff.
If the app is provided by the OEM and has system permissions, the installation will simply fail, with no possibility to "overwrite" the app. This can be dodged by having the devices rooted, replacing the .apk file in the system directory and restarting the phone.
Please mind that none of the above will work by just uploading the .apk to the phone. This needs to be done from adb. On-phone installer will just fail.
This is my first questions on SO, but I would first like to thank the community for helping me along the way in creating a few Android apps. I am not a programmer by profession, and most of the stuff I make is just for fun, but one Android app is a real project that I created for a client, and I've run into some real trouble and need some help.
The app I made basically takes in some data, stores it into an SQL database, and when necessary, uses queries to pull various information from the DB, and displays it. If any adjustments need to be made, I make them and just send them another .apk. No problem, until now...
I recently upgraded to Windows 10, doubled my laptop's RAM and replaced my hard drive with an SSD, and did a refresh of the OS. Everything, including Android Studio, runs like a dream now!!! I had a request from my client to make a few adjustments, so I recopied my backed up source code to my projects folder, opened the code, made the modifications, and resent the .apk to my client. They are getting the following message:
"X App not installed.
An existing package by the same name with a conflicting signature is already installed."
The only changes I made to the app were adding a table to the database (and upgrading the DB version number, of course), and modified some layouts and a couple of methods and calculations, etc. Nothing more. I have searched up and down and have even replicated the same error on my tablet and can't find a way around it. My client currently has a few months worth of data input into the app, so they can't just uninstall it and do a new app installation. Is there anything I can do at this point? Also, I never made any custom key signature, just programmed, made .apk, and have sent numerous updates without issue. Any help would be greatly appreciated. (I have all my project folders and .apks backed up for all the different versions that I have sent)
Thank you!
Your best bet at this point, assuming you can't find/get the original key, is to use a backup program (or adb pull worst case) to backup his /data/data/ folder. Then you can uninstall the original app and reinstall the new version. Then you can restore/adb push the old folder's contents to the phone to restore the data files. This may require rooting it.
If possible I would test this on another phone first, to make sure it works, since you only get 1 shot at this. I would also save your key in your source control repo in the future.
I have made an app and for testing I want to give it to some friends for trying/testing. But I don't want them to pass it on to others. So is there a way that after installing the apk, the apk deletes itself?
When you install an apk, it is merely copied to the internal storage. Someone could always retrieve it from there easily enough.
There is no way to delete the apk they downloaded to install it, as you don't know where that apk is located on there phone. You could always show a dialog asking them to, or write some code into your app that sets an expiry date after which is stops working (like in the SwiftKey Flow Beta).
However, mostly handing out beta apks is a matter of trust. If you don't trust a tester to keep it private, don't give it to them.
There's a good report here of a recent scam perpetrated through the Android market.
http://www.theregister.co.uk/2011/12/12/android_market_malware/
Someone copied some popular game .apk files off a rooted phone, decompiled them with smali, added code to make them use an expensive premium SMS service, re-signed them with his own key, and put them back in the Android market. Over 10K users downloaded them in the 24 hours before Google booted the apps from the market.
How can app developers protect against their work being stolen, modified, and remarketed in this way? I suppose you could match the MD5 hash of your app as it was when you shipped it (perhaps kept with your app in the google market, or on one of your servers), with the MD5 hash of the app as it is now. But we don't have tools for checking the MD5 hash of an .apk file, and the underlying files are not visible to app software.
Ensuring identity integrity of an app you run, surely, is a solved problem. What is the best practice?
This kind of black hat practice are impossible to avoid. Whatever you find, a lucky, ingenious, patient hacker will undo it.
You can nevertheless hope to work hard enough to make it harder for most hackers to easily break your protections. That's what people often call IT security btw :)
Fields to investigate are :
obfscation
CRCs and MD5 as you mentionned it
secure networked verification
a second app to check the first
a custom checking class loader (can you do that on android ?)
Not the be-all-to-end-all but there is ProGuard:
The ProGuard tool shrinks, optimizes, and obfuscates your code by
removing unused code and renaming classes, fields, and methods with
semantically obscure names. The result is a smaller sized .apk file
that is more difficult to reverse engineer. Because ProGuard makes
your application harder to reverse engineer.
If you are willing to spend some money then go for some professional help such as Arxan. We have used this in our enterprise level app. Basically it recompiles the .apk with its own encryption and creates a new apk which will enable you to know whether tampering was done with apk and other such instances. You may refer to this url : https://www.arxan.com/ for more details and do your research accordingly.
Ok so I have a few apps on the Android market that are very similar, just targeting different languages. When I made the apps, I just went through and created the key stores based on the langage they were for, and didn't pay a whole lot of attention as to where I was putting them.
Now I'm going through trying to update the apps, and there are a couple apps whose keystore didn't automatically populate as found by Eclipse.
This isn't a matter of me losing my computer, or losing my hard drive, I just don't know where to look for the files I need. What is the key's filename extension? Is there a certain place it would be stored by default? I have several time machine backups I can go to, where should I look?
Thanks!
In all probability, the .keystore files (the key) might have been moved which is why Eclipse isn't able to populate them by default. Try doing a search for *.keystore.
If not, just create a new one. Let us know how it goes.