question

pcyanide avatar image
pcyanide asked

Testing APK signature

My application involves testing APK signature to ensure that the package is not tampered. Everything worked all right, but when I download the app from Amazon AppStore the test fails, so the application doe not behave correctly. Is there a way to build an APK exactly like it appears at Amazon Playstore, so I can test the signature before submission. Hopefully I will find the solution, otherwise I have no alternative to unpublishing my application.
fire tablet
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

pcyanide avatar image
pcyanide answered
Unfortunately, I have to bring some light on it. When you submit a binary, there is tick, saying something like "Allow Amazon to sign your app". For me it is always ticked and disabled (maybe because of using GameCircle), so there is no way to disable this option. When the apk is downloaded from Amazon Playstore it contains additional activity and some extra resources, used to identify that the application was downloaded from Amazon Playstore (for example In-App purchase library runs in Live mode, rather than Sandbox Mode). Someone claims that these "extensions" force the application to run only when Amazon Appstore apk is installed, but I didn't test it. Whether or not this is justified legally or morally is another topic. What is really important for me is that a modified apk need to be re-signed. From what I can see, the new signature retains the original name, however organization, country, and location are wiped out. The Valid From date is modified to the date when the application was registered at Amazon Playstore, the Valid To date is also modified (probably to specific amount of days from Valid From). The crucial question is whether the signature (i.e.corresponding keystore) is created once, or it is re-generated every time when a new apk release is submitted. In the first case the signature can be checked programmatically, in the second case it cannot. Probably the only way to find the answer is re-submitting the app which must be really annoying for Amazon testers. After all, this is not really my fault. Hopefully, the next message will answer the question :)
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Nick Gardner avatar image
Nick Gardner answered
Hi, If you want to sign your own application, please submit a contact us request here: https://developer.amazon.com/public/support/contact/contact-us For the signature that Amazon signs your app with, it should remain the same for all versions of your app. In fact, the signature is the same across all applications you submit, so once you have the signature of one, you have it for all your apps. If you want to get the certificate hashes for your apps, please submit a contact us request as per above and we can get those for you. Thanks, Nick
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

pcyanide avatar image
pcyanide answered
Thank you, Nick. At last I've got a qualified answer and it was really helpful. Indeed, signature stays the same. I only wish the answer to come a bit earlier, so I wouldn't need to re-invent the wheel :) BTW, some of my other questions are still awaiting reply. Hopefully they will be answered eventually. Thanks
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.