As far as I understand, an .apk is an .apk is an .apk. The play store (for most devices) does not do anything special with the .apk to make the download unique to the user, the play store simply authenticates that the user is allowed to download it and facilitates that process. However with Android 4.1 Jellybean, they introduced an encrypted .apk feature (which had some bugs so I don't know if they fixed it) which allowed developers to require that applications on Jellybean devices would be encrypted. The key that was used to encrypt the .apk was unique to the user+application, and therefore if a user tried uploading the .apk, they'd first have to decrypt the application before anyone else could use it.
On Tuesday, October 30, 2012 2:38:43 AM UTC-7, lyrik Huang wrote: > > Recently I just want to know how google controls the paid app, > I mean how can the .apk only be installed in the device that runs with the > right google account. > is there an additional signature mechanism that adds the buyer's > information into the .apk > I only saw a META-INF directory in the .apk file,but there's no more > information about the consumer who bought the application. > so I want to find out the real mechanism out there. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/m_l04MyMsVYJ. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
