If I lost the original certificate.keystore file created with keytool, but have the exact terminal output and all the stuff I entered to make it, is that enough to be able to create a new certificate that the android market publish site will accept without saying that the new apk must be signed with the same certificate?
This is a MAJOR flaw in the google android market. unlike apple where you can request your certificate with your apple developer account, google has no such service yet. If you loose your certificate, thats it. You will be unable to publish an updated version of your app for people to download.
Best thing to do is let your userbase know there is a new version of the app out with changes that made it impossible to update normally, and they need to uninstall the old version and download the new version, unpublish the old version from the app store and publish the new one. (its a bit of a white lie, but people wont cry too much, and its a lot better than saying you lost the certificate, most users wont even know what you are on about)
Then keep your certificate duplicated for backups and keep it SAFE!!! Email it to yourself, put it on a unnamed flashdrive (incase it gets stolen people wont know what the certificates for). Gmail is good because its easy to retrieve mail from months ago with keywords. Burn it on a CD and put it in your medicine cabinet if you have to.
Hope this helps, good luck
I dont think the generated certificate and the private key will be the same.
Related
I had exactly the same issue like in that question: java.lang.SecurityException: Permission Denial: opening provider when implement content provider
I have solved it using: the answer of #CommonsWare
Where He says:
App B has identical <permission> elements as App A and both App A and App B are signed by the same signing key
But When generating the app bundles of my applications, I have forgotten to sign them with the same signing key
According to the research I have done:
It is not possible to change the singing key of an application once it is on play store.
My actual problem:
I have recently put two apps on play store which have the same <permission> element. When I install first the app A from play store, I will not be able to install the app B. When I first install the app B from play store, I will not be able to install the app A. One of my apps is not able to install when I install the other app first.
According to #commonware answer:
you would need to remove one of the two apps from the Play Store and
submit a replacement, with a new application ID, that is signed by the
same signing key as the other shipping app.
But I don't want to change the application ID of any of these two applications
Any idea about how to solve that issue?
Is there any other efficient alternative to ContentProvider to share data between two applications of the same author?
I have momentarily accepted the #Warlock answer but I am looking for a better answer.
It's possible to change singing key for app already in Play Store. But it has now major disadvantage which will be gone in few years. It will be working only on devices running Android 9 and above. So your mindSkdVersion has to be 28+. It's called key rotation and it's part of APK Signature Scheme v3. See this link.
Also I don't know other way how to 100% securely change data between two apps than trust same signing keys. Less secure way is only to depend on known applicationId (just sent Intent with "com.myapp.someaction") which attacker can of course use and sideload app or use other distribution. Bit harder way to break can be usage of Android IPC / AIDL directly.
I am installing security software/hardware into a couple different school districts. The application is at it's final stage, however I will need to send updates to users periodically. For example, a general password will be changed for the application every 6 months.
Installing an .apk is considered an "update" after the initial application is installed, correct?
I just have a feeling that there should be some easy way of doing this. I don't really want to give people an .apk. Someone could get smart and tear it apart to find the contents. That, and some others might not understand how to install files on their phone.
What are your ideas? Maybe a web link a user can go to that starts the install for them?
You have multiple misconceptions how updating, APKs and keeping keys secure work.
You have to host your APKs somewhere. Github releases is a pretty common way (but slow), but you could also use google drive, dropbox or your own server.
Your app has to fetch the server regularly and check if a new APK is available (pull-based). Second option is to use push notification in some kind e.g. FCM (push-based). Then you download the APK and let the user install it. Your app cannot start a installation by itself, it has to be done by the user.
But you can redirect the user to the installation menu with that APK, so he just has to click "Install". "Install from unknown sources" has to be enabled for that, if not the user will get an information about that from the OS with a way to enable.
There are apps like "APK extractor" which get you the APKs from google play without root, so there's nothing wrong about giving out the APK. Your APK should never contain secure keys which the user isn't allowed to see. It's easy to reverse engineer those keys, it's just a matter of time.
I'm in a big trouble. I get this popup when I want to run a video player on my page. I've google a lot and the reason should be the self signed certificate. I've never bought any ceritificate, or never installed. I've just read not all certificate is trusted to solve this, but I'm looking for the cheepest one, that can solve this, and I can use again this library without any popups.
http://i.stack.imgur.com/trhGB.png
The other questions is what should I do with the certificate? Where to put it, or how to insert to the site?
Thanks for the reply
I am trying to implement the APK Expansion Downloader Library into my application, but I am struggling to get past the LVL verification check.
Everytime I run up the application, I get a "Signature verification failed" message back from the LicenseValidator class. The application is signed in release mode, with a proper Keystore.
I have checked maybe 10+ times that the PUBLIC_KEY I am using inside of the application is the same as on the developer account, yet its still not working. I have also uploaded the application to the Play Store, with the expansion file (correctly named), and even added in my account as a Test account on the developer console. I have also tried adding the publisher account onto my device, and its still not working.
I do not know what to do next, I need this to work and cannot find any help on the internet as to how to fix this.
Thanks
Adam
you had several versions of file extansion? Because I had the same problem as the api sent me the name of an old file ... as a workaround in the verification code I just replaces the version number ... It's not terrible, but the bug does not come from me ...
Fixed. Via "Manage apps" I stopped the Google Play Store app, cleared its data (not the cache, which was zero bytes), then restarted my licensed app - licensing now works.
How do I package/export my app from eclipse for consumption? Where can I upload it other than android marketplace?
I've done all the programming but have no idea what to do next.
You should check out this excellent talk given at Droidcon uk last year
http://skillsmatter.com/podcast/agile-testing/how-to-run-a-private-beta-on-the-android-market
Read about publishing here. The process isn't too bad. You must:
Create a signing certificate
Build and Export for publishing
Sign
Distribute
If you just want to distribute to testers, you can sign with a debug certificate. Those who want to install the debug app on their phones must go to Settings->Applications->Unknown Sources. From there it's as easy as using adb install <path to APK> or uploading the app to a web server and having the target phone navigate to its URL using Android's browser.
As for other marketplaces, there are a lot these days, with Amazon's the closest second to the Android Market. Even WalMart has jumped in!
The biggest pain is setting up your signing credentials, but it's not a big deal. Just read the dev guides and you'll be publishing in no time.
Depends on if you are going to hold a private or a public beta. First things first though.
You need a signed .apk in eclipse, click File->Export and then open the Android Folder and click "Export Android Application"
It will walk you through signing your .apk. If you are going to do a private beta you could use a different key than the one you plan on using for the android market if you wanted.
If you are holding a private beta you can put the .apk out on dropbox or another service like that and send your beta testers the link. You will want to make sure they have checked "Unkown sources" in there settings.
If you are holding a public beta you can publish it to the market and just let everybody know it is in beta.
I have done it both ways... Having a public beta may discourage certain users from downloading the app but you will establish your place in the market. On the flip side you could be affected by ratings. It will depends on if your app is really ready for beta or is in more of an alpha stage.
Hope this helps.
I suppose this part of the documentation could help. It describes the specifics on how to publish your .apk file outside the standard Android Market channel. In fact, the whole "Publishing" section of the doc gives you a quite complete overview of what is possible to do, and how to do it.
Good luck your your app!