Android L permission conflict between release and debug apks

Question

I've upgraded to Android L and have both a released version of my app in "Google play" and a debug version which we use for development.

They are signed with different keys.

My problem is that I install the "Google play" version and then when I try installing the debug version, which is defined like so:

debug {
        debuggable true
        packageNameSuffix ".debug"
        buildConfigField BOOLEAN, IS_DEV, TRUE
    }

And this is the error I receive:

Failure [INSTALL_FAILED_DUPLICATE_PERMISSION perm=com.app.name.permission.C2D_MESSAGE pkg=com.app.name]

This is the problematic permission:

<permission
    android:name="com.app.name.permission.C2D_MESSAGE"
    android:protectionLevel="signature"/>

<uses-permission android:name="com.app.name.permission.C2D_MESSAGE"/>

I am aware of (http://commonsware.com/blog/2014/08/04/custom-permission-vulnerability-l-developer-preview.html) and of the fact that this was created due to a security issue, but I still need to be able to work with a team each having their own debug signing key.

I've tried uninstalling using adb uninstall (https://stackoverflow.com/a/27090838/2746924) and I've tried clearing all apps cache on device.

Answer 1

I can successfully have both debug and release editions of a GCM client app installed on the same Android 5.0 Nexus 9 at the same time, by amending the manifest to use placeholders:

<permission
  android:name="${applicationId}.permission.C2D_MESSAGE"
  android:protectionLevel="signature" />
<uses-permission
  android:name="${applicationId}.permission.C2D_MESSAGE" />

Note that you should also use ${applicationId} in your <receiver> for the <category>:

    <receiver
        android:name="GCMBroadcastReceiverCompat"
        android:permission="com.google.android.c2dm.permission.SEND">
        <intent-filter>
            <action android:name="com.google.android.c2dm.intent.RECEIVE"/>

            <category android:name="${applicationId}" />
        </intent-filter>
    </receiver>

(frankly, I am unconvinced that the custom <permission> is even needed anymore, given that I tried removing it and can still receive GCM messages)

If you then define your build.gradle as you have it, with an applicationIdSuffix for one of the build types (e.g., debug), you will wind up with separate custom permissions by build type, and you will be able to have them installed side by side.