tags:

views:

1063

answers:

5

I have an Android library that uploads data to a test server and production server. I'd like developers using this library to use the test server when developing, and production server when the app is downloaded from Android Market.

Is this possible for an app to tell where it came from (Market or non-Market?) I would imagine one could detect the presence of the signed JAR file.

A: 

You could default your configuration to the production environment and use a custom Instrumentation that sets the configuration to testing environment. Intrumentation should be removed before publishing to the android market.

Josef
+2  A: 

From what I can tell there is nothing that the Market Application does to "flag" an application to say that it was downloaded from the market.

I have seen this issue approached in a different manner by another Android library. The AdMob Android SDK is free to download and use as described on their wiki. This library serves ads, so they have the same desire to be able to determine if the application that is currently running is being tested by the developer or if it is being used "in the wild". Their approach was to require that the developer set a "testing" attribute in the XML or to call their libraries "setTesting(boolean)" function to let the library know which ads to serve. This is obviously more of a manual approach that relies on the developer to change one line of code or XML before publishing.

snctln
Yeah, that's one approach .. the problem is that it's hard to remember to change it back when you publish :) I was looking for a way that would be automatic. Oh well.
sehugg
A: 

Perhaps you could add a setting to your app for "developer mode".

Another possibility, have it look for a special file or configuration file on the SD card, and key off of that.

davenpcj
+11  A: 

Yes, you could use the signature for that. If you use a debug key to sign your app during development and a release key when uploading your app to the market you can check for the signature that the app was signed with and based on that use test or production server. Here is a small code piece to read the signature of your app:

    try {
        PackageManager manager = context.getPackageManager(); 
        PackageInfo appInfo = manager.getPackageInfo(
            YOUR_PACKAGE_NAME, PackageManager.GET_SIGNATURES);

        // Now test if the first signature equals your debug key.
        boolean shouldUseTestServer = 
            appInfo.signatures[0].toCharsString().equals(YOUR_DEBUG_KEY);

    } catch (NameNotFoundException e) {
        // Expected exception that occurs if the package is not present.
    }

YOUR_PACKAGE_NAME must be something like 'com.wsl.CardioTrainer'. It must be the package name you used in your AndroidManifest.xml. Good Luck

mark

maximon
Is it a good idea to hard code YOUR_RELEASE_KEY?Will reverse engineering reveal this?
Thushan
That might solve the problem but i would definitely NOT put my full private key into my code if i was you.Maybe you could get away with just using a 20 char subset of the key or something?
Declan Shanaghy
I think using some kind of hash on your key and hard coding that in, then hashing the key stored in the package info, then checking that would stop anyone from seeing the real key if it was reverse engineered.
Austyn Mahoney
Wouldn't you get around the security exposure if you tested for the debug key rather than the release key?
Rob Kent
A: 

Create another application that doesn't do anything, then test for the presence of that to indicate a debug build? Install app on development phones.

OJW