My lecturer gave me a project on patching APK files. I wrote a sample application, using Apk_Manager 5.0 to patch the app. It's ok. But then I tried with an application downloaded from market.android.com, the re-signed application can't run on my Android Virtual Device. What's the problem?
As a security feature Android will not let you install an updated version of an app that was not signed using the same keys. If this were allowed a malicious app with the same package name could gain access to private data stored by the original app. To install an app with the same package name but different signing keys you must first uninstall the original app, which will remove the app's private data.
Since you mentioned that you are attempting to modify other people's apps potentially without their knowledge or consent, please respect the copyrights of others. Many developers may consider this to be a breach of license.
Related
My question may look strange but I'll try to explain somehow. Let's imagine there is an Android device with software that adjusts some settings based on application package name - it's a real-life scenario. This software may provide better performance for listed applications and there is no way to add my application to that list. What I'm capable of doing is to release my application under one of listed package names (not to Google Play, just provide APK on GitHub so that anyone who wants to use it will install it manually). And there comes my question:
is it legal to use some company's existing package name for my own application? Is it protected legally? My app is free & open source application.
Just to be clear: I'm not doing this to impersonate "real" application with bad intentions. I just want my application to use full range of device capabilities... And download page will state it clearly & visibly :)
In other words: can I release app with package name e.g. com.google.android.talk? I know that it won't override existing app if someone has it installed etc. (it's not my goal to override some application). I'm just talking about such possibility and legality.
This is totally legal, as you can use whatever String you want for your app/package name.
However, just doing this will most probably be not enough to "impersonate" the other app, as this would be a serious security flaw. First of all, there can never be two apps with the same package name installed.
If the app you speak about is created by a "serious" developer, say Google or one of the OEMs, it will check both package and signature of the app and will therefore know your app is not the same as the replaced app.
Also, when the user tries to install your app, a package conflict will happen, followed by the signature conflict. There are two scenarios here:
If the app you are replacing is a standard app, the user will be able to install your app from adb, but only after thay accept to completely wipe the data of the original app. You have probably seen this dialog while developing stuff.
If the app is provided by the OEM and has system permissions, the installation will simply fail, with no possibility to "overwrite" the app. This can be dodged by having the devices rooted, replacing the .apk file in the system directory and restarting the phone.
Please mind that none of the above will work by just uploading the .apk to the phone. This needs to be done from adb. On-phone installer will just fail.
I would like some general info on system apps. I am working with a manufacturer who is willing to give me the info required to make my app a system app. However, I do not know exactly what this information should be and how to change with my app to make it a system app with the given information. I believe I need the something in my manifest like this
android:sharedUserId="android.uid.system"
and then I need to sign my app with the manufactures key? I am not sure could someone explain to me exactly what the process would be please?
Also the reason my app needs to be a system app is so the user cannot uninstall it, but my app still needs to update. Is it possible to update my app when it is a system app? I would be updating if from google play like normal.
Thanks for any help I simply could not find very much information on this subject and would appreciate the help.
This link here would give you a bit of information.
A System application is NOT an application which is signed by the OS’s
platform signatures. This is a common mistake believed by many and we
shall come to this later on. A System application is merely an
application which is placed under /system/app folder in an Android
device. An application can only be installed in that folder if we have
access to the OS’s ROM (system.img). The application is placed under
/app folder after the ROM has been extracted. A device which loads the
custom ROM will have the new System application added. The benefit of
a System application is that the application cannot be removed from
the device (cannot be uninstalled by the user). This is only because
/system/app is a read-only folder.
http://ricston.com/blog/explaining-behavior-android-application-system-apps-nonsystem-apps/
As for updating your app through the play store, I am assuming you should be able to do that without any problems, if the app is on the play store, and you use the same signature every time. It need not be the manufacturer's certificate, but it's better to use that certificate to sign your app.
So, the only thing that you need to ensure is that, while building the ROM, the manufacturer puts your apk into the system folder, and it should work.
Use mkkey.sh http://www.kandroid.org/online-pdk/guide/release_keys.html script to create new certificates, including x509 certificates. you wont need these steps as manufacturer is giving you the keys.
In AndroidManifest.xml of your application : under the element add the attribute android:sharedUserId=”android.uid.system”
Export an unsigned version of your Android application using eclipse.
Project >> Android Tools >> Export Unsigned Application Package
Use /out/host//framework/signapk.jar to sign your app using platform.x509.pem and platform.pk8 in /build/target/product/security/ generated earlier
java –jar signapk.jar platform.x509.pem platform.pk8 your_app_unsigned.apk your_app_signed.apk
Answer to some of your other questions are already given by Kumar Bibek. These are the steps I followed when I had to do the same. This was in done in Android ICS. The steps might have changed but still worth a try.
Since Android O (Oreo), you need to sign the system apps with dev keys, unlike in the past versions you can just copy them to a system folder which has varied in the past.
I am developing 2 android applications, which are clients for my server. I cannot install both applications on my android phone. I install the first app to phone, everything is ok. Then when I try to install the second app on the phone, I get the message that the application will replace another application (the first one), and then I get following error:
Application not installed: an existing package by the same name with a conflicting signature is already installed.
I mention that I have created one separate keystore file for every application, export them as in the android official signing application guide, then zipaligned them.
So the OS thinks that it is a single application? But in fact there are 2 different apps.
What am I doing wrong?
I think you are using the same package, which is not allowed for two different apps.
But for anyone who have the same error for installing another version on top of previously installed app:
I wanted to test released version of my app when the problem occured. I've had the app previously installed using eclipse, and than I wanted to install the same app but with released signature. I have even uninstalled the app using apps gallery, but the problem persisted.
The solution for me was to unistall the app using Settings->Apps->"the app"->top right corner menu->Uninstall for all users
I had the same error message, but these answers did not help. On a 4.3 nexus 7, I was using a user who was NOT the owner. I had uninstalled the older version but I kept getting the same message.
Solution: I had to login as the owner and go to the settings->apps... Scroll down to the end of the list where my old version was listed with a mark 'not installed'. Select it and press the 'settings' button in the top right corner and finally 'uninstall for all users'
Not sure what happens when you use the same signing key, because in all honesty, I never really tried it.
That being said, as Anand Tiwari, in his comment, has already simplified the answer, you cannot install two different applications with the same package name on one device. They, logically speaking, may be different to you, but for the OS, they are in fact, the same.
The problem also manifests itself when you try to upload the applications to the Android Market (Google Play). Google Play will simply not accept the second application. There is a short and simple explanation by Warren Faith here: https://stackoverflow.com/a/5788664/450534
As an example of how similar applications with a few changes are published to the Google Play store:
The free version of FriendCaster is: https://play.google.com/store/apps/details?id=uk.co.senab.blueNotifyFree
The paid version if the same app is: https://play.google.com/store/apps/details?id=uk.co.senab.blueNotify
Notice the ending of the package names. In this case, you will be able to install both the apps simultaneously on one device.
I think your problem is that both your files have the same package name. You can name both apps with similar packages, but they can't be identical. In fact, using the same package base can be used to communicate between applications ie. App1: com.mypkg.app1 and App2: com.mypkg.app2. However, they both can't be called com.mypkg.app - the package name is how Android identifies apps, and can't be identical.
You should be able to sign as many different apps (assuming their package is different) with the same key.
Make sure not to lose your signing certificate, if you lose it, you will not be able to upload a new app with the same package name. If you lose your signing certificate, you will be in big trouble.
Good luck.
I've just finished making some updates for a company's Android app, only to realize that they no longer have the private key that was used to sign the original release that went to the Android Market. If I understand correctly, this means that these changes can't be released as an update to the original app. I think the best option is to pull the original app from the market (it doesn't have many downloads or reviews) and re-release the app signed with a new key. However, I'm worried that Android Market might not allow an app to be released which is practically identical to an app that has already been released (e.g. same name, same icon, mostly the same functionality, etc.).
Has anyone been in this situation before? Did google allow you to re-release as a separate app to the Android Market?
You are correct in that you will have to release this as a new application with a different package name. You will have to pull the other app from the Market as it will no longer be updateable and your users will have to redownload the new version of the app.
I don't see any reason why Google would have any issues with this, it's a known issue that some developers/companies can come across when they loose their signing key. Also, as far as I know, Google doesn't closely monitor incoming apps unless they are being flagged.
I've seen some apps that have 10 versions of the same app in the Market, just so that they can have more visibility, which is something that I think Google needs to look out for.
If you just forgot password.
https://code.google.com/archive/p/android-keystore-password-recover/
If you replaced the existing key file.
1.Rename your package name.
2.Generate new signed apk but this time keep copy of the key and never lose it if you want to update your existing app.
I had a similar thing happen, and we had to change the package name even after pulling the original application from the market. I assume this is to protect users from 'accidentally' downloading a malicious update to an application they already have.
As of about August of this year (2011), the Android market has had the capability of uploading multiple APK's for the same package name. You should be able to remove the original APK and substitute a new one with the same package name now using that mechanism.
I haven't tried it yet, but we were able to upload multiple copies of our different applications that targeted specific platforms and it worked like a charm.
Amazon's documentation is surprising lacking in information about the submitting binary process. From what I can tell, you submit an unsigned binary and they wrap it in their own code and produce a signed apk?
This leaves several questions:
Does the Amazon App Store perform a zipalign for you?
If you have your app in the Android Market (Google's) already, is it recommended to use the same package name or a different one? Does it make any difference?
I also saw elsewhere, that they offer the option to download the apk they prepare and sign it with your own key. Is it recommended to take this and then sign it with the same key you are using in the Android Market? Does it make any difference?
Are there any other considerations or pitfalls that one should know before diving into this process?
Yes. Amazon wraps your binary with code specific to their appstore that allows them to collect analytics data and enforce DRM. The app will be repackaged after that.
You should use the same package name. The Amazon distribution agreement currently has a number of provisos; e.g., that your app is not priced lower on another app store. They also do occasional checks to see whether the version of your app on the market is up to date. These checks are primarily done using the package name; changing the package name of your app could easily be viewed by them as a means to evade the terms of the agreement.
No. There may be good reasons why one would want to do this, but none that I can think of. By default, Amazon signs your apk with a signature that is specific to your Amazon developer account.
Other:
Read this. In particular, ensure that the app links correctly to the Amazon app store and not the Android market, or others. I don't have inside data, but I'd wager a fair amount that the vast majority of submissions that Amazon turn down fall afoul of that requirement.
Edit: Point 2 is no longer correct; see comment below.
Here is the reply I received from the amazon mobile app distribution team for a question concerning whether to submit signed or unsigned apk's:
"You can submit signed, or unsigned binaries to the store - we will then apply our signature to your app in either case. If you need to sign your app with a known signature (if you are using Facebook authorization for example) you can choose to upload your app using our self signing process (you will need to ask us for this to be enabled for you)."
The most straight forward way to submit an app is to export your signed apk from Eclipse (all zip aligned are ready to go), then upload via the Distribution Portal using our DRM and signature.
For the latest update of my app I just took the same signed apk I previously released to google play, and it worked well.
I have only published two little applications that sell almost nothing, but both got aproved and I followed exactly the same procedure I follow for publishing on the Android Market: I just exported the signed .apk from eclipse and also used the same package name. So far I have no problems, so I guess it's ok.
You should zipalign during every build, as a matter of practice.
I use the same exact build process for Amazon as I do before publishing to Google. Only difference is an Interface's variable to determine the market link (at build time, if/else is compiled out).