I use PackageManager.checkSignatures to check whether a paid "unlocker" app is installed. While this works fine on KitKat (on a Galaxy S4), the call to checkSignatures below returns a code of -3 on Lollipop (v5.0.1). Does my code need to be revised for Lollipop?
final PackageManager pkgMgr = context.getPackageManager();
final int sigMatch =
pkgMgr.checkSignatures(context.getApplicationContext().getPackageName(),
"com.myname1.myname2.myappunlocker");
While I have not used
checkSignatures()
much, that behavior would stun me. The only thing that I can think of is if they had some security bug where debug builds always returnedtrue
fromcheckSignatures()
. Otherwise, an app signed with a debug signing key should never match the signature of another app signed with a production signing key.I know for certain that Android would report different signing keys at runtime via
PackageManager
for the different builds, as I did a lot of experimentation around that, as part of my work withSignatureUtils
.It means that you should be testing this functionality using the same signing key for both apps. Whether that is the debug key or the release key is up to you.