Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

When is LICENSED_OLD_KEY returned from server?

Tags:

code-signing

google-play

license-key

android-lvl

The documentation for application licensing describes LICENSED_OLD_KEY as meaning:

The application is licensed to the user, but there is an updated application version available that is signed with a different key.

On the other hand, the documentation for signing strategies says:

If you sign the new version without using matching certificates, you will also need to assign a different package name to the application — in this case, the user installs the new version as a completely new application.

Since applications are identified by their package names, this seems to say that you can't change the signing key for a published application. (Rather, you can change the key and package, but then it will be treated by the market as a new application.)

I can't think of a scenario where it is possible to receive a LICENSED_OLD_KEY response. Am I missing something?

like image 363
Ted Hopp Avatar asked Jul 04 '11 15:07

Ted Hopp

1 Answers

The documentation states that LICENSED_OLD_KEY

...can indicate that the key pair used by the installed application version is invalid or compromised.

Looks like this code was added for cases where a private key is leaked or can otherwise be no longer trusted. Since the current IPC mechanism doesn't even know which public key is used on the client side, I would guess that the whole package name gets tainted. The idea is that in this case an app should ask a user to upgrade to the new version which isn't tainted and should presumably already exist. Since this upgrade would require switching to a whole new different package, how this is supposed to be done is unclear. My guess is that this mechanism isn't really used at all at this point, so the chances of getting this code are very close to zero. In the current version of the official LVL library this code is treated the same way the normal LICENSED response is.

p.s. Also please note that you confuse the keypair used for signing your apps and the keypair used for the LVL service. Those two are completely different and unrelated. Interestingly, with the latter keypair you don't even get to know the private key at all. You get your own pre-generated public key (one per developer) from your publisher console, and that's all you get.

like image 70
dragonroot Avatar answered Nov 11 '22 09:11

dragonroot
Sign in to Comment

Related questions

How to open Google Play Install app dialog similar to Youtube ad cliick
Android Market Statistics API? [closed]
How can an app enable "Allow Automatic Updating" in the Android market
Force app update through market, as if user clicks "Update" [closed]
Android Market install referrer is empty for installs from market. Is it a bug or normal behavior?
How to add an email group to Google Play Store Alpha/Beta Testing
How to upload an Android app to the app store via command line
Update an installed android apk using another apk without google play
Android youtube player app, google play rejected for background playing
How to package a WatchFace only App for Google Play publishing
Google Play Store error code -2
0 support device at Google Play Developer Console
release notes and language in Google Play Console
Android Wear app not visible in store (Internal test track)
Google Play warning about missing leanback intent
Google Play Billing Library 3.0 Released. How to migrate from 2.2.0, any changes needed?
Google Play Console App Rejection APK REQUIRES VALID PRIVACY POLICY AND PROMINENT DISCLOSURE
Procedure for licensing Android market
How can I test Android Market Filtering before publishing my app?
How to force PhoneGap Android app to perform self-update?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!