The application reads a key from a file to hit production vs test server.
I want to create a test apk build that will pick test key and second build apk for release that will pick the production key
I am currently building app using eclipse
I'm not sure if it is related with what you mention, but it sounds to me like you could perhaps include such functionality through the usage of License Verification Library (LVL), consequently having a single app and still being able to deal with the key issues.
Hope that helps.
Related
I recently came across a free mobile app security testing tool based on proguard called AppSweep. I uploaded an android debug apk for security scanning/testing to see any potential vulnerabilities.
It provides a way to upload an apk without signing up or needing an api key and it worked perfectly and I was able to address most of the severe issues.
However, I want to remove an already uploaded app-debug.apk build and I am unable to find an edit or remove functionality. Is this provided and is there a hard limit on the total number of apk uploads?
You can add your existing builds to a project or also delete them after creating an account. Then it will look like this:
Apart from that, there is no limit on how many APKs you can upload, some users even integrate AppSweep into their CI/CD pipeline and create a new scan for each commit.
Am having a bad time with android in order to create new release
i have created a Signed APK with two option
then i zipped the .apk file,after trying to upload it to google console am getting the below error
Your Instant App APKs do not declare a valid 'android:targetSandboxVersion' attribute in their AndroidManifest. Using the 'com.android.feature' Gradle plugin to build your Instant App would add this attribute automatically.
Note : the file zipped and all the solutions asking to zip the file, no luck :(
You need to be clear if you are producing an Instant App or a normal Android app. I think this is what is confusing you, or maybe you just aren't being clear in the question.
Android Instant Apps are special Android apps that launch from a web page, and don't need a user to install them. To build them you need the Instant Apps SDK, and to follow the development instructions here. Android Studio will produce a zip for you, you don't need to do it manually
For normal Android apps, you don't need to zip your APKs. Just upload the APK itself to the Play Console.
I think you are probably making a normal Android app, but because you are zipping it, the Play console thinks you are uploading an instant app. So stopping Zipping your APK, and just upload it to the Play Console as a ".apk" file.
While you are at it, I'd recommend using APK V2 signing - it gives much faster installation on modern devices.
This question already has answers here:
Difference between eng and user-debug build in Android
(2 answers)
Closed 4 years ago.
In Android, what is the difference between debug build and production build ? Also are there any other kinds of builds ?
Thanks.
I'm not sure if you are asking about the debug/production app or debug/product framework. So I will cover framework.
There are two different types of android framework build (the entire system image) user (aka production) and userdebug.
All standard device maker release their device with "user" build. Userdebug is meant for development and typically only built for in-house use.
Getting root:
In userdebug build you can simply do "adb root" to switch your adb shell to root mode. In addition, you can also do "adb remount" to remount the system partition to writeable mode for further control.
In user build, you can gain root access by installing special su binary and corresponding controlling app (like supersu). This way, while in adb shell, you can use "su" to gain a privileged shell. It is not as convenient as userdebug build.
In AOSP, you can choose the build type via the lunch command. For example
lunch aosp_hammerhead-userdebug
vs
lunch aosp_hammerhead-user
Well, the three little pigs had 3 types of builds but most of those didn't work out so well.
Anyway, you should see the docs here. When you build your app in the IDE you get a debug key and this is different than a production key. Having a debug build keeps you from needing to enter credentials each time but you obviously would want this prompt when you are ready to release a production build.
I guess this is what you are talking about but if you have something else in mind then please elaborate.
There is no difference between the two builds. The production build will run the same as the debug build with some limited exceptions. The limited exceptions relate to features that are signature dependent, i.e. they require you to register either the debug or production key to work properly. This would include most API's, like GoogleMaps or Facebook, and anything else that uses your build key to generate a unique identifier (think most OAuth2 products).
Your question is confusing/vague because in reality there is no difference in the two builds. Both will run exactly the same code. The difference is in who can run them and how you can run them. All android applications are signed when they are built by a unique key. This key identifies the app creator and is useful, in production, to ensure that the developer is not sending crap malware to those on the Google Play Store (or at least if they are we know where to find them).
Builds created in debug mode are signed with a debug key that is localized to a specific machine. This means if I build an app in debug mode to install to my phone, and another developer sitting right next to me builds the exact same code base to run on his phone our two applications will be signed with different debug keys. Why does this matter? Well, going back to the API registration process mentioned above, if I create our company wide Google Maps API registration using my debug key (bad idea) when my friend sitting next to me builds the app in debug mode on his machine he will encounter an error. The problem is that access to the Google Maps API is dependent on having an app installed that is registered with the right key. Because our two keys are different his app will not load properly.
Release/production mode allows you to sign the app is one universal key, not tied to a specific machine. This avoids the problem mentioned above. By using one key for all instals, every app will be able to access the same API's, so long as you register for them with your production key. This production key is not machine specific. You can send it to your friends (please don't) so they can sign apps as you.
That's pretty much it. You can read more about building and running apps here. If you have a more specific question please clarify.
So this might sound like a complete and total noob question, but I'm going to ask and see what I find anyway.
I'm working on an Android application using Eclipse IDE. I have two development machines that I use (one for work, one for home) and one is 64bit while the other is 32bit. The phone that I'm using to test my application is a Google Nexus (Verizon flavored, most up to date drivers). If I build and run the application using one machine, then try to do the same on the other machine I get a console error that tells me to run an ADB command to uninstall my app because the signature has changed.
From what I understand it's because "debug.keystrore" (located in %USER_HOME%/.android) is different for each machine. Why does it do this? I assumed that the application signature was unique to the app not the app + dev machine. Is this normal behavior? If so, is there something I can do to get around it? I'm worried that copy/pasting the file between machines could cause problems, so I haven't tried it yet. Would I have to move this file every time I switch machines? Also, if I release my app into the wild; then loose my computer and have to start using a new computer (thus, changing the application sig) will everyone who installed my app have to uninstall the app because the application sig is different?
Bonus round: is there some way I can configure my IDE so that I don't have to change where eclipse looks to find the SDK every time I switch machines (i.e. make it look in both the ProgramFiles directory and the ProgramFiles (x86) directory.
To make sure the app was built by the same developer, Android wants the signature to be the same. Feel free to copy your debug key between machines. It has nothing to do with your machine or whether it's 32/64 bit; it only proves that you're the same developer.
When it comes time to release your app, you want to be very careful to
Keep your release key private, and
Keep your release key backed up in several places.
If you ever lose your release key, you won't be able to update your app, as you suspected.
Update: To make my answer more complete, it looks like the way to tell Eclipse which key to use is under Preferences -> Android -> Build.
I use Linux and don't use Eclipse; what I do is just copy ~/.android/debug.keystore from machine to machine, and the ant build tool uses it automatically, avoiding the pesky "certificates don't match" installation error.
For my release keystore, I have this line in my ant.properties:
key.store=../private/my-release-key.keystore
and keep my-release-key.keystore in a private repository much to the same effect.
I guess that for different platforms Google team has created different debug keys (I guess for tracking purposes). These debug keys do not depend on your application. If you want to distribute your application you need to create your own key. If you sign your application with your own certificate there should not be such kind of problem (because in this case, certificate depends only on attributes that you've entered when you create certificate). Under the Preferences -> Android -> Build you can select which keystore to use.
The signature is unique to each of the developers. From what I understand, if you are using the debug key, it uses your mac address or other unique characteristic to create an arbitrary key. So when you build and install your app onto a device with one machine, and then go to use another, you have different signatures, and thus your issue.
To be able to not have this issues, you should create your own key, as others have mentioned, and then use that to sign when you build.
You will NEVER want to release an app with your debug key, this is just for developing and when you go to release your app, you want to use your unique key that you created.
These keys are used to keep others from updating your apps, without your permission, so create a your own dev key and you won't have this issue.
Here is a link that should help you get started and pointed in the right direction: http://developer.android.com/tools/publishing/app-signing.html
I've copied "debug.keystore" from one machine to another, there are no ill side-effects. You can simply overwrite one with the other, and the un-install/re-install problem is fixed. The debug key is there only to protect the developer's own devices from other developer's binaries.
As others have mentioned, you do not publish your app with the debug key, you must make a release key and sign it, per the instructions on developer.android.com.
Also it's worth noting that the "debug" key is only valid for 1 year from the date it was created (when the SDK was installed). After a year, the SDK will say it's expired, and generate a new debug key. You'll have to re-copy the new key to the other machine, and you'll have to un-install the app signed with the old debug key.
As for the other problem you mention, you should have separate Eclipse workspaces that both reference the same Android project, using different SDK locations. The project does not need to be in a sub-folder of the workspace, so you can make this separation.
I created a .apk outside of eclipse using tiggr mobile (http://gotiggr.com)
i have the downloaded .apk and need to sign it - so i thought about running it through eclipse then signing it that way
im having the worse trouble importing it into eclipse.
does anyone have any other suggestions on signing this? i keep getting this message when uploading:
Market does not accept apks signed with the debug certificate. Create a new certificate that is valid for at least 50 years.
Market requires that the certificate used to sign the apk be valid until at least October 22, 2033. Create a new certificate.
Market requires the minSdkVersion to be set to a positive 32-bit integer in AndroidManifest.xml.
thanks for your help!
It would be faster to get the source code into eclipse via retyping it than to try and unsign and explode the apk, edit the manifest, fool the tools and sign the package. The tools can be run at the command line anyways and eclipse would just make it harder.
One problem you have is that there are problems in your manifest. The market requires some attributes set in it that you did not need while doing developer builds. You can open up the apk with anything that will open a zip file. You can edit text files with notepad. You package them up with ant by recreating the build.xml by hand. The instructions for signing things is here:
Android Dev-Guide: Signing your Applications
But what a LOT of work... and I am guessing you will need to do this multiple times just for one release to get the manifest right. Then what do you do when you need to update your program?
Will the service not let you export the code in an easy to use way (because... wow... talk about evil)? Failing that cut and paste will save you time but you will almost certainly want to have it in eclipse or some IDE ready to make changes for your market release and build, package and to sign it.
That's not your issue. I suppose you compiled your app and now you're trying to publish it in the market. To do that, you need a private key whick in turn requires you to have a android market developer account.
Normally you can develop your app and install it into most devices but you can't submit apps to android market without a developer account.
If what you really want is only to import your app to eclipse, I suggest you to create a brand new android project and copy everything into it. It's easier and faster than adjusting everything!