PackageManager.checkSignatures not working on Lollipop

Question

I use PackageManager.checkSignatures to check whether a paid "unlocker" app is installed. While this works fine on KitKat (on a Galaxy S4), the call to checkSignatures below returns a code of -3 on Lollipop (v5.0.1). Does my code need to be revised for Lollipop?

final PackageManager pkgMgr = context.getPackageManager();
final int sigMatch =
        pkgMgr.checkSignatures(context.getApplicationContext().getPackageName(),
                "com.myname1.myname2.myappunlocker");

Answer 1

When I test the app in debug mode (AndroidStudio) I never used to get a problem with the signature match on Android 4.4.2, but now (on 5.0.1) the behaviour has changed.

While I have not used checkSignatures() much, that behavior would stun me. The only thing that I can think of is if they had some security bug where debug builds always returned true from checkSignatures(). Otherwise, an app signed with a debug signing key should never match the signature of another app signed with a production signing key.

I know for certain that Android would report different signing keys at runtime via PackageManager for the different builds, as I did a lot of experimentation around that, as part of my work with SignatureUtils.

Does this mean that this sort of functionality can't be tested using Android Studio on Android 5.0.1?

It means that you should be testing this functionality using the same signing key for both apps. Whether that is the debug key or the release key is up to you.