Detect if app was downloaded from Android Market

Asked 12/6, 2009 at 13:25 Answered 22/12, 2011 at 0:13

I have an Android library that uploads data to a test server and production server. I'd like developers using this library to use the test server when developing, and production server when the app is downloaded from Android Market.

Is this possible for an app to tell where it came from (Market or non-Market?) I would imagine one could detect the presence of the signed JAR file.

Preceptory answered 12/6, 2009 at 13:25 Comment(3)

Do you want to know if the app is published, or from where the end user downloaded the app? Like, either the user loaded the app from the market, so market apps use the production server, or the app was published so all copies of that app become production apps. – Abydos 12/6, 2009 at 14:7

Grant, the difference I'm looking for really is developer-time vs production-time, so I do want developer copies to remain on the test server. I just want any apps which were downloaded "in the wild" to use the production server. – Preceptory 12/6, 2009 at 14:31

Create another application that doesn't do anything, then test for the presence of that to indicate a debug build? Install app on development phones. – Pignus 7/10, 2010 at 17:13

Yes, you could use the signature for that. If you use a debug key to sign your app during development and a release key when uploading your app to the market you can check for the signature that the app was signed with and based on that use test or production server. Here is a small code piece to read the signature of your app:

    try {
        PackageManager manager = context.getPackageManager(); 
        PackageInfo appInfo = manager.getPackageInfo(
            YOUR_PACKAGE_NAME, PackageManager.GET_SIGNATURES);

        // Now test if the first signature equals your debug key.
        boolean shouldUseTestServer = 
            appInfo.signatures[0].toCharsString().equals(YOUR_DEBUG_KEY);

    } catch (NameNotFoundException e) {
        // Expected exception that occurs if the package is not present.
    }

YOUR_PACKAGE_NAME must be something like 'com.wsl.CardioTrainer'. It must be the package name you used in your AndroidManifest.xml. Good Luck

mark

Alienage answered 13/6, 2009 at 17:33 Comment(8)

Is it a good idea to hard code YOUR_RELEASE_KEY? Will reverse engineering reveal this? – Hatchway 16/7, 2009 at 19:7

That might solve the problem but i would definitely NOT put my full private key into my code if i was you. Maybe you could get away with just using a 20 char subset of the key or something? – Jackfish 6/11, 2009 at 18:59

I think using some kind of hash on your key and hard coding that in, then hashing the key stored in the package info, then checking that would stop anyone from seeing the real key if it was reverse engineered. – Sweitzer 9/1, 2010 at 0:22

Wouldn't you get around the security exposure if you tested for the debug key rather than the release key? – Concordat 1/3, 2010 at 11:3

You dont want to compare the signature to your debug key. Instead, you should compare the X500 principal of the signature to your debug key (or release key, or any other key). See https://mcmap.net/q/213335/-android-compare-signature-of-current-package-with-debug-keystore – Austerlitz 8/5, 2012 at 16:44

Regarding the signature: that is not your private key; it is the public key that corresponds to your private key. So using (and testing) the release key's signature (as opposed to the private key) should be OK. An easy way to obtain this value is just to log it from a signed copy of your APK. – Ninurta 7/12, 2012 at 3:38

Check out its installation source: #3178543 – Huggermugger 20/7, 2014 at 5:34

We can store key in config file in assets folder – Exception 18/6, 2016 at 20:36

Starting with API 5, you can use PackageManager.getInstallerPackageName(String). From the documentation:

Retrieve the package name of the application that installed a package. This identifies which market the package came from.

To get the package of the Android Market, this post may help.

Lacto answered 22/12, 2011 at 0:13 Comment(0)

From what I can tell there is nothing that the Market Application does to "flag" an application to say that it was downloaded from the market.

I have seen this issue approached in a different manner by another Android library. The AdMob Android SDK is free to download and use as described on their wiki. This library serves ads, so they have the same desire to be able to determine if the application that is currently running is being tested by the developer or if it is being used "in the wild". Their approach was to require that the developer set a "testing" attribute in the XML or to call their libraries "setTesting(boolean)" function to let the library know which ads to serve. This is obviously more of a manual approach that relies on the developer to change one line of code or XML before publishing.

Mic answered 13/6, 2009 at 3:48 Comment(2)

Yeah, that's one approach .. the problem is that it's hard to remember to change it back when you publish :) I was looking for a way that would be automatic. Oh well. – Preceptory 13/6, 2009 at 4:9

You could customize the build.xml Ant build script to swap out variables between release vs. debug building. I've done it in such a way that a configuration class (for Facebook and Twitter keys) and a resource file (for Google Maps) are swapped automatically. – Radiophone 20/11, 2011 at 19:48

You could default your configuration to the production environment and use a custom Instrumentation that sets the configuration to testing environment. Intrumentation should be removed before publishing to the android market.

Foresee answered 12/6, 2009 at 16:4 Comment(0)

Perhaps you could add a setting to your app for "developer mode".

Another possibility, have it look for a special file or configuration file on the SD card, and key off of that.

Lahey answered 13/6, 2009 at 13:24 Comment(0)

Recommended topics

Hot tags