Why does Android allow an APK with an expired certificate to be installed?

About

Asked 11/4, 2011 at 18:31 Answered 27/4, 2011 at 8:17

Solved android certificate apk demo trial

I made an APK signed with a certificate which has a validity of 1 day. My aim is to give a trial app to some people, but preventing them copying the application after the expiration date. If they copy the application before the expiration date that is okay. I thought that the Android OS would block any application with an expired certificate from being installed on the phone. However, I find that I can install the application on my phone 2 days after the expiration of the certificate with which it is signed. Jarsigner confirms that the certificate has expired. Why does Android allow an application to be installed with an expired certificate?

Bobwhite answered 11/4, 2011 at 18:31 Comment(7)

That's interesting. But generally people do time limited trials but putting code in the app to make it refuse to run after a given date, not by hoping the OS will refuse to install it after that date. Do you specifically want to restrict the install date rather than the run date? If so you could upon pre-expiration installation create an authorization record in private settings and/or the sdcard - each having different clearable/re-install survival concerns. – Falkner 11/4, 2011 at 18:42

Yes I don't want to restrict the run date, the app should be fully available to the people who I give it to, but it should not be reinstalled. I'm confused because the Android Guide tells that the system tests the certificate's expiration date at install time, but it doesn't seem to be the case. Maybe I could do the job myself like you suggested but I'd like to know why the certificate is not checked. – Bobwhite 11/4, 2011 at 18:57

You may very well have found a bug (or have something subtly wrong in the test). But to accomplish your goal, it may be more effective to rely on something you implement yourself. A (probably cached) run-authorization scheme need not be dependent on date either - it could be tied to a user account you'd create on a server somewhere. Incidentally, note that your original scheme even if it worked would be trivially defeated by re-signing the apk. – Falkner 11/4, 2011 at 19:5

Just to check -- you are testing in this with your app built in release mode aren't you? And you didn't push the apk to your phone with adb push? – Hauler 11/4, 2011 at 19:19

@Chris If I don't find anything wrong maybe I'll report a bug. Are you sure the apk can simply be resigned by another person to be installed? @Joseph Yes I followed the procedure from the guide – Bobwhite 11/4, 2011 at 19:40

Re-signing is not particularly difficult, you just have to know your way around the command line tools. Fundamentally, since the certificates are self-generated the phone can't see anything special about yours as opposed to someone else's - it can only enforce that two things claiming to be signed by the same entity are, so that updates or shared user id schemes (including system apps) can be vetted for consistency with the existing installed piece. – Falkner 11/4, 2011 at 20:3

@Patrick, you should try checking it on the emulator/device with DDMS, you should get something similar to this error – Naphthalene 21/4, 2011 at 7:33

I understand it is allowed to be installed by a developer via adb or thirty-party . I am sure if you upload it to the Market you'll find difficulties. IMHO, it is logical because when you install applications out of the Market you are assuming many risks that you couldn't solve with a right-signed application.

Chelsae answered 27/4, 2011 at 8:17 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags