2

i developed an app for android and i'd like to publish it on google play. I'd like to send the apk file to some other people, before publishing it.

My question is, what does protect my apk from someone else publishing it himself?

I could compile the app in debug, so google play doesnt except it. I couldy compiled the app in release with a private key, but if the package name has never been uploaded to google play, another developer account could just upload it as his app, cant he ?

What i do understand is, the private key protects an app from someone else using the same package name, if he doesnt have the key. But what protects an apk from being uploaded, if it hasnt been uploaded at that time ? Also, is it that complicated to reverse engineer an apk (signed or debug signed), and just change the package name. That way anyone could publish any app as a "new" one, in his account.

Maybe someone can clear things up a little.

Thx in advance

Kedu
  • 1,350
  • 14
  • 26

3 Answers3

1

To prevent your testers to upload your apk to the app store, you yourself can privately publish it to the Play store in either Beta or Alpha stage. You can control who can see and download your app. Don't worry, you are not making it publicly available. See Use alpha/beta testing & staged rollouts. Now you've it available on playstore with that package name but with limited visibility only to the testers.

To prevent someone from reverse engineering your app, changing the package name and republishing on the store, as others have mentioned, you can obfuscate your code to make reverse engineering harder. There are many tools out there. Some are free and others are paid but ofcourse with more features like tampering resistance etc. See How to avoid reverse engineering of an APK file? question for more details.

Community
  • 1
  • 1
Shobhit Puri
  • 25,769
  • 11
  • 95
  • 124
  • I did upload it to google play acutally, but didnt publish it. So i guess, now its protected against other people uplaoding it, because the package name is registered to my dev account ?. I didnt use SafeGuard so far. Do u think its important to always use it, when uploading an apk? If its so easy to get the package name from an apk, and change it, thats a big problem... – Kedu Sep 23 '14 at 20:56
  • You could get all the code, assets, resource files etc from an apk which is installed on the device using free tools within 15 minutes or maybe faster if you know the right tools. There are some okay free debuggers which one can use. However some of the paid debuggers are good at reverse engineering Java code. So, it depends on how much important business logic etc you've there in code. You can just make it tougher for anyone by obfuscating. However its still not full proof. Its not as easy to just change the package name and upload the app again. However its not impossible. – Shobhit Puri Sep 23 '14 at 21:03
  • Your idea of claiming the package name first is good, but obfuscation **will not** by itself protect against blind re-naming. – Chris Stratton Sep 23 '14 at 21:50
  • @ChrisStratton Thanks for the comment. So you mean to say that it is easily possible to change the package name in the manifest without actually reverse engineering the apk and make the code in compilable state? I understand that obfuscation won't stop it but won't it make things difficult for the one who is trying to just upload it with another package name on play store? What can be the other ways to make it harder or to stop it if possible ). Thanks again for sharing. – Shobhit Puri Sep 23 '14 at 22:00
  • Obfuscation can't alter anything which needs/is needed to interact with the android platform - such as the package name. So they don't need to reverse the obfuscation to change that. If someone is distributing your copyrighted work through a legitimate channel without authorization, you have a variety of legal remedies available. – Chris Stratton Sep 24 '14 at 14:56
  • Interesting! Thanks for the info Chris. – Shobhit Puri Sep 24 '14 at 15:04
-1

Basically if your apk not signed you can't deploy it to googlePlay. More information here

You can obfuscate apk code with proguard which make hard to reverse engineering your apk.

ar-g
  • 3,417
  • 2
  • 28
  • 39
  • But i cant compile in release mode without giving a signing key... I also think, an app has to be signed, otherwise android wont install it. – Kedu Sep 23 '14 at 20:50
  • Right, it signed in debug mode: _In debug mode, you sign your app with a debug certificate generated by the Android SDK tools._ This mean that if your app in debug mode nobody can't release it. Otherwise if you sign in it in release mode it possible but without having signing keystore they can't update app. – ar-g Sep 24 '14 at 09:39
  • They can trivially re-sign it with a release key. – Chris Stratton Sep 24 '14 at 14:54
-1

I could compile the app in debug, so google play doesnt except it.

This is true, Play does not except unsigned apps. However, reverse engineering is a problem.

I couldy compiled the app in release with a private key, but if the package name has never been uploaded to google play, another developer account could just upload it as his app, cant he?

This is also true. He cant update it ever without your keystore, but he can upload it on Google play. I never sign apps when i send them for testing.

Luckily for us, there is a tool called Proguard that stops, or at least makes it very difficult for someone to do reverse engineering. Proguard does a lot of cool stuff but whats important is that it protects your code by renaming every class, method, field etc. So if you had a class MyActivity that had a method doSomething, i will now be(for example) class A method B etc.

Marija Milosevic
  • 516
  • 4
  • 16
  • You can't install an unsigned app, even as a tester - debug apps are signed, only with a debug key. And proguard in no way protects against someone distributing your app intact - at best, it could protect *other* some other mechanism intended to limit unauthorized use, against *the most trivial* attempts at disabling it. – Chris Stratton Sep 23 '14 at 21:51
  • When i said unsigned i actually meant signed with a debug key (as that is done automatically in debug mode when you run or debug your project from the IDE). And if you have app signed with debug key and you do run proguard, nobody could deploy intact app on Play, and the code is pretty hard to reverse engineer. – Marija Milosevic Sep 23 '14 at 22:10
  • You don't need to reverse engineer the code to re-sign it with a release key. – Chris Stratton Sep 24 '14 at 14:53