There is a new wrinkle, because my Amazon versions are now different from the version for everywhere else.
So, after this last update to the Android Market I noticed something a little odd – the Android Market can detect that my app has been installed, and that there is an update available. It fails to update, however, due to the signature keys not matching. Hmm…
So I investigated. It’s easy to check the signature of your app.
Get the Installed Version
First, get the installed .apk onto your computer
- Install the ASTRO File Manager app onto your device
- Press the menu button then go to Tools->”Application Manager/Backup”
- Back the app in question (or all apps)
- Connect your device to your computer by USB and turn on USB Storage
- Pull the files from the backups/apps directory from the SD card
- Turn USB Storage back off before disconnecting your phone, so it can use the SD card itself again
Check the Certs
Now you have the .apk as downloaded, and should also have the original .apk as uploaded (you did save it, right?). It’s time to compare.
On windows, do the following on the command line (substituting the actual location for JDKLOCATION:
JDKLOCATION\jarsigner -verify -verbose -certs myApp.apk
Do this for both your original application, and the one downloaded from Amazon. Take a close look at the cert information.
I found that Amazon signs the Android apps in the Amazon Appstore with its own key. The expiration date is different, and all of the signature info is different. They even do this to the free ones (which the app in question is), which they shouldn’t need to add anything at all to. It puts a jumbled up version of my company name as the keysigner, but you also see this file added:
Where I guess the ID is something to uniquely track my app.
I’m not sure if I should be worried or not. If Amazon is willing to modify my app without asking or telling me, how do I know that they’re not doing anything else? Maybe this explains a few of the bad reviews that others have given me about permissions that my app doesn’t ask for. Or maybe not – some users are just crazy.