I'm currently developing an Android application using InApp Billing functionality. In order to perform testing with real end-to-end payment scenarios I need to upload the application draft to Google Play - as described here.
However, my customer wants to publish the application later using its own Google Play account.
Is it possible, that I upload the draft first, remove it after testing, and then my customer releases the application (with the same package name) with a totally different Google Play account? Would Google Play allow for that?
I don't want to mess with package ID, it is annoying (but perhaps safest?).
Answering (sort of) my own question:
it seems perfectly fine to remove the application draft from one profile and re-upload to another one
for the time being I only checked re-uploading APK signed with the same private key
funny enough, all configured in-app items that I configured for this application on my own profile reappeared after uploading to the second profile!
Nopes, when the applications are export, the are exported and signed with certain certificates and private key, so that if anyone have that private key, the will be able to upload the app with the same identifier,
i.e.
com.yourcompanyname.appname
This is unique identifier, identifies your app to update it further.
Related
We have developed small App for one company and we want it to be used in this company only. We're self hosting APK file and there is one problem. When people downloads our app Android is showing warning about "installing from untrusted source" - and that confuse a lot of workers.
Is there any way to validate or sign our APK with Google key but without putting it in PlayStore?
In addition I want to say, we have account on Google Play Console (we paid registration fee) but we dont want to use Google Enterprise solutions, which allows to create private app channels.
I try to use signature level permission to share data between two apps in secure way. Unfortunately even if i use the same upload key for signing in both apps the Google Play changes their signature after uploading to the store. Because of that, my apps can't communicate.
How to sign in two apps with the same key/certificate if we use google play app signing?
I've made some research and I would like to explain here how Google Play App Signing works and how to use it with signature level permission.
First of all if we use Google Play App Signing we actually use two keys to sign in our app. First is Upload key and second is App signing key. Both are generated in the same way from Android Studio and we can use Upload Key from the one app as App singing key for the other app.
App signing key is stored in Google Play and after uploading it we don't have access to it. We have possibility to upload it when we enrol to Google Play App Signing for existing app or it can be generated by Google Play for new app and then we don't have access to it at all. We can say that App signing key is actually the real key which we use for distributing app for our users.
The whole mechanism looks like this:
Image source (Official app signing documentation)
As you can see on the image we use Upload Key to upload our app to Google Play and then Google Play removes our signature and is signing in our app with different key. It is useful because if we loose our upload key we will not loose possibility to upload our app (we can ask Google for using the new upload key). Moreover Google Play can now split our app into smaller parts and distribute it independently and every part will be signed in with our App Signing Key (Android App Bundles).
The disadvantage of this solution is that the app which we upload to the store has different signature that app which we download from Google Play.
It is very problematic especially if we use signature level permission in our app. Moreover it is also problem when we want to upload our app to different store than Google Play.
By using signature level permission we can share data between two apps in secure way (use case example) but there is one main condition - both apps have to have the same signature.
Even if we use the same Upload Key it doesn't mean our apps will have the same signatures because the keys which are used by Google Play can be different.
In practice it means that when you test release version of your app everything looks great but after uploading it to Google Play it doesn't work (this problem affects every feature which depends on app signature - facebook login, tamper-detection).
So, how to use the same key for two apps when we use Google Play App Signing?
When we create new app in Google Play and try to create first release to production then Google Play will ask:
And then under advanced options we can find:
After that both apps will have the same signature for our users.
Unfortunately if we will try to do it for app which is already published for our users (we can enrol to Google Play App Signing later) we don't have this option available and we can't use the same key.
What if we can't do it but we want to use secure data sharing between two apps?
We can verify signature which is not the same manually and try to prevent attack from the inside of our app which provides data. It is not as secure as first solution but more secure than doing nothing :)
As you found out, sharing the same upload key does not mean that the app signing key will be shared as well. However there is a way to do that when you first enroll in App Signing by Play: under the "Advanced" section in the enrollment card, there is an option to reuse the app signing key of another app already enrolled in App Signing.
You will need to create a new app however since there is today no way to change the app signing key.
This is documented on this page under "Opt in to app signing by Google Play" > "New apps".
Hope that helps,
I have two different apps, and I want them to be able to communicate together.
For security reasons, I would like to restrict the communication with protectionLevel:signature, so I don't have to worry about other apps possibly messing with my apps.
The problem is, I use Google Play Signing for the first app. I noticed, that when I want to create a new App in the play console, and opt-in for Google Play App Signing, that another certificate is generated. So, I suspect that the permission system is not working, as the release-apk that users download will not be signed by the same certificate, and that the "protectionLevel=signature" check will fail.
Is this true, or will it still work somehow when the Upload-Certificate matches?
Is there any way to use the same certifiacte for different apps using Google Play App Signing?
I solved it;
There is a button for reusing the Signing Key from an old app in the "App Signature" Tab in the play console.
Note that after you generated a distribution key once, it cannot be changed, even if you never uploaded an APK yet, so you have to press the button to reuse the key immediately before generating another distribution key.
I had to delete my (unpublished) app and created a new one. If you already published you app (even if just for a closed beta test), your only chance to get the same distribution key is to create a new app with a different app id.
I have written an app that is hosted on our private server. We release updates to our customers via a push notification. All this works fine.
We always intended to publish the app on Google Play Store eventually but one of our customers that is a council, has published the app on the store without asking us. I think he wanted control of updating the app and the benefits of Alpha/Beta testing. This is causing us problems as when i try to upload the apk from my developers console, Google is saying the package name already exists on the Play Store.
I understand that once an app has been published on the Store then it cannot be deleted. It can however be unpublished. The following things concern me.
If the other person unpublishes the app, will i be able to upload the app from my developers console?
Will what i want to do require the other person to delete his developers console account?
If the other person does delete his account will there still be a reference to the package name after this deletion of account, meaning i still can't upload my app.
Now that someone else has published my app first, will i have to re-name the package of my app to upload to the store?
Any advise is appreciated, thanks in advance
Matt.
I have an Android app that uses In-App-Billing to sell Account Managed Items.
I tested the app with the static response IDs and everything seems to work. I now want to test the app with real product Ids.
I created the app in the Google Play Store and uploaded a draft version of the app with the correct permissions. I now created an In-App-Billing item and published the item.
At the moment the app is unpublished. The item is created and published and I have a test account that is registered in the profile of the developer account and is the only account on the device that I use for testing. The app is signed with the same key as the uploaded draft. Edit:I'm testing with Android 4.1 && 4.03 at the moment
If I try to buy the item the Google Play Store pops up but shows a dialog with the following method: The item you requested is not available for purchase.
How can I test buying the item without publishing the app?
When you test the app, make sure you have exported and correctly signed it (not using debug key). Also make sure that you are using the correct Google account (registered test account) on the device.
Additionally, the registered test account cannot be the developer account.
Apart from this, it should work fine.
Note: Testing your own in-app purchases does require a valid credit card and actual payment.
And finally, it currently takes a few hours for market edits to propagate through the servers and show up.
It may take some time to reflect the changes on google play if you just uploaded the app and added the item there wait for some time near about 2 hr. it will be shown the item you want to purchase.
For others who reach this thread, Now it's not possible to test In-app billing with just a draft version of the app.
Draft Apps are No Longer Supported
Previously, you could publish a "draft" version of your app for testing. This functionality is no longer supported. Instead, there are two ways you can test how a pre-release app functions on the Google Play store:
You can publish an app to the alpha or beta distribution channels. This makes the app available on the Google Play store, but only to the testers you put on a "whitelist".
In a few cases, you can test Google Play functionality with an unpublished app. For example, you can test an unpublished app's in-app billing support by using static responses, special reserved product IDs that always return a specific result (like "purchased" or "refunded").
for details read https://developer.android.com/google/play/billing/billing_testing.html#billing-testing-test
You can test in-app billing by using options, look at this
Edit :
On the link I mentionned, you can see this :
Note: You do not need to publish your application to do end-to-end
testing. You only need to upload your application as a draft
application to perform end-to-end testing.
If you still can not test it, what you can do is to publish it and test it. If you think there might be bugs in your app's in-app billing, refunds are still a solution.
I'm thinking about something, on the dev site, you can see this :
Verify that your device is running a supported version of the Google
Play application or the MyApps application.
On what Android version are you testing on ?
You've to add the products(item sku) in you app product in your play store app account. The SKU you set In-App billine is not available. For testing, set the SKU androidtestpayment. Now you'll now get that error The item you requested is not available for purchase.