Recently I just want to know how google controls the paid app, I mean how can the .apk only be installed in the device that runs with the right google account. is there an additional signature mechanism that adds the buyer's information into the .apk I only saw a META-INF directory in the .apk file,but there's no more information about the consumer who bought the application. so I want to find out the real mechanism out there.
As far as I understand, an .apk is an .apk is an .apk. The play store (for most devices) does not do anything special with the .apk to make the download unique to the user, the play store simply authenticates that the user is allowed to download it and facilitates that process. However with Android 4.1 Jellybean, they introduced an encrypted .apk feature (which had some bugs so I don't know if they fixed it) which allowed developers to require that applications on Jellybean devices would be encrypted. The key that was used to encrypt the .apk was unique to the user+application, and therefore if a user tried uploading the .apk, they'd first have to decrypt the application before anyone else could use it.
On Tuesday, October 30, 2012 2:38:43 AM UTC-7, lyrik Huang wrote:
> Recently I just want to know how google controls the paid app, > I mean how can the .apk only be installed in the device that runs with the > right google account. > is there an additional signature mechanism that adds the buyer's > information into the .apk > I only saw a META-INF directory in the .apk file,but there's no more > information about the consumer who bought the application. > so I want to find out the real mechanism out there.
That's right, there's no special signing on the Play store level, though
*every* app is signed by a developer, paid or unpaid. (And of course,
there are other app stores as well...)
Perhaps if you clarify a little more as to why you're asking?
kris
On Thu, Nov 15, 2012 at 10:20 AM, seattleandrew <actorand...@gmail.com>wrote:
> As far as I understand, an .apk is an .apk is an .apk. The play store (for
> most devices) does not do anything special with the .apk to make the
> download unique to the user, the play store simply authenticates that the
> user is allowed to download it and facilitates that process. However with
> Android 4.1 Jellybean, they introduced an encrypted .apk feature (which had
> some bugs so I don't know if they fixed it) which allowed developers to
> require that applications on Jellybean devices would be encrypted. The key
> that was used to encrypt the .apk was unique to the user+application, and
> therefore if a user tried uploading the .apk, they'd first have to decrypt
> the application before anyone else could use it.
> On Tuesday, October 30, 2012 2:38:43 AM UTC-7, lyrik Huang wrote:
>> Recently I just want to know how google controls the paid app,
>> I mean how can the .apk only be installed in the device that runs with
>> the right google account.
>> is there an additional signature mechanism that adds the buyer's
>> information into the .apk
>> I only saw a META-INF directory in the .apk file,but there's no more
>> information about the consumer who bought the application.
>> so I want to find out the real mechanism out there.
> To post to this group, send email to
> android-security-discuss@googlegroups.com.
> To unsubscribe from this group, send email to
> android-security-discuss+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/android-security-discuss?hl=en.
On Thu, Nov 15, 2012 at 8:38 PM, Nikolay Elenkov
<nikolay.elen...@gmail.com>wrote:
> On Fri, Nov 16, 2012 at 10:30 AM, Kristopher Micinski
> <krismicin...@gmail.com> wrote:
> > That's right, there's no special signing on the Play store level, though
> > *every* app is signed by a developer, paid or unpaid. (And of course,
> there
> > are other app stores as well...)
> While this is not signing per se, paid apps are encrypted with a
> device-specific key before
> being distributed to JB+ devices. They are decrypted on the device as
> part of the installation
> process, which may additionally create an encrypted container for the
> app (forward locking)
Yes, perhaps I should clarified, and I believe you have a link as to the
relevant implementation details on your blog..
Information about who bought which app is kept on the Play Store
> servers, and you can
> request it using LVL or RESTORE_TRANSACTIONS for in-app billing and
> implement online
> license checking. It is not embedded in the actual APKs though.
