If you put the signature in the manifest, the manifest itself couldn't be signed, i.e. someone could modify it and still pretend that they're "you".
The point of the signature is to prevent someone from modifying your code and pretending that they're you. It's definitely not meant to prevent piracy. JBQ 2009/4/20 fdimeglio <[email protected]>: > > Hello Jean-Baptiste, > > When I was asking "how this can be possible?" I was meaning how can an > apk be resigned ? Enabling apk re-signing is clearly not good, and I > would have expected the signature to be in the manifest and also > plugged into the dex file preventing the app to run if the signature > is changed. > > Right now, here is an easy piracy scenario: > > - take any apk > - change the resources (all strings should be put into the resources > arent they for enabling localization ?) and thus change the > application name > - find a way to change the package class name > - resigned the apk > > Voila, a brand new app with code from another app. > > That seems too easy. > > Fabrice > > On Apr 20, 6:46 am, Jean-Baptiste Queru <[email protected]> wrote: >> Well, they could have used their signature instead of yours. >> >> JBQ >> >> 2009/4/18 fdimeglio <[email protected]>: >> >> >> >> >> >> > Hello, >> >> > I am the developer of OthBase an Othello/Reversi game application for >> > Android available as a free and paid download. >> >> > To my surprise I have received a couple of days ago the following >> > email: >> >> > ========== >> > from: [email protected] >> >> > Dear Mr. /Ms, >> >> > Good day! >> >> > This is Kevin from China, my teammates and I have an android community >> > website-www.91android.com(one of the leading Android community >> > websites in China), we are hoping to get your authorization to >> > localize and post your Android application-OthBase on our site. >> >> > We are aiming to make our website the No.1 Android community in China >> > mainland by publishing android news, localized applications, etc. >> > After hardworking and popularizing for months, we have accumulated >> > great amount of registers, and have received great attention from >> > Android fans and media. >> >> > Now, we need to get your permission to localize your android >> > application mentioned above and put it onto our website. What we are >> > offering is a free service and you can regard our website as a >> > distribution mechanism (quite like android market, but to distribute >> > the Chinese version). >> >> > We hope and believe that we can both benefit from our cooperation. >> >> > 1. We can introduce your application to the huge user group in China >> > mainland. >> > 2. We can attract more attention by publishing the Chinese version of >> > your application on our website. >> >> > If you are interested, or have any questions, please don't hesitate to >> > let me know. Look forward to your feedbacks and suggestions soon. >> >> > Best regards, >> >> > Kevin Xue >> >> > 2009-04-16 >> > fatty228 >> >> > ========== >> >> > So I went to their website, done registration and searched for >> > OthBase. I could find that they are distributing without my agreement >> > an apk of my application localized in Chinese. >> >> > I immediately sent to this person an email to stop distributing my >> > software but I dont know if he will follow my request. >> >> > Another concern is that after getting their apk, I could install it >> > without any issue on my ADP1 and looking at the manifest I could see >> > that they have changed the resources and been able to sign all this >> > again to make it a perfectly viable apk file. >> >> > How can this be possible ???? >> >> > Any suggestion, idea would be very welcome. >> >> > Fabrice >> >> -- >> Jean-Baptiste M. "JBQ" Queru >> Android Engineer, Google. >> >> Questions sent directly to me that have no reason for being private >> will likely get ignored or forwarded to a public forum with no further >> warning. > > > -- Jean-Baptiste M. "JBQ" Queru Android Engineer, Google. Questions sent directly to me that have no reason for being private will likely get ignored or forwarded to a public forum with no further warning. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Discuss" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-discuss?hl=en -~----------~----~----~----~------~----~------~--~---
