Examining Amazon Appstore Signatures for Android Apps

Posted on by

My App is in a number of places, including the Amazon Appstore and the Android Market.  I regularly test updating my app, since I keep it installed on my phone.

There is a new wrinkle, because my Amazon versions are now different from the version for everywhere else.

So, after this last update to the Android Market I noticed something a little odd – the Android Market can detect that my app has been installed, and that there is an update available.  It fails to update, however, due to the signature keys not matching.  Hmm…

So I investigated.  It’s easy to check the signature of your app.

Get the Installed Version

First, get the installed .apk onto your computer

  • Install the ASTRO File Manager app onto your device
  • Press the menu button then go to Tools->”Application Manager/Backup”
  • Back the app in question (or all apps)
  • Connect your device to your computer by USB and turn on USB Storage
  • Pull the files from the backups/apps directory from the SD card
  • Turn USB Storage back off before disconnecting your phone, so it can use the SD card itself again

Check the Certs

Now you have the .apk as downloaded, and should also have the original .apk as uploaded (you did save it, right?).  It’s time to compare.

On windows, do the following on the command line (substituting the actual location for JDKLOCATION:

JDKLOCATION\jarsigner -verify -verbose -certs myApp.apk

Do this for both your original application, and the one downloaded from Amazon.  Take a close look at the cert information.

I found that Amazon signs the Android apps in the Amazon Appstore with its own key.  The expiration date is different, and all of the signature info is different.  They even do this to the free ones (which the app in question is), which they shouldn’t need to add anything at all to.  It puts a jumbled up version of my company name as the keysigner, but you also see this file added:

com.amazon.content.id.XXX

Where I guess the ID is something to uniquely track my app.

Which Means…

I’m not sure if I should be worried or not.  If Amazon is willing to modify my app without asking or telling me, how do I know that they’re not doing anything else?  Maybe this explains a few of the bad reviews that others have given me about permissions that my app doesn’t ask for.  Or maybe not – some users are just crazy.

Posted in Android permalink

About ProjectJourneyman

I am a software engineer that escaped the cubicle world at a large company to go solo with Android app development. My attention to detail and quality applies both to my apps and to my research on how to make money with Android. Now that I have the freedom to work on my own projects, I am documenting my efforts in the hopes that it will help other current or aspiring independent Android developers get the income they desire.

Comments

Examining Amazon Appstore Signatures for Android Apps — 2 Comments

  1. Actually they do tell you there going to add their own signature and you have the option of letting them add their own DRM. This information is in their developer agreements and FAQs.