Any number of profiles can have the same app installed. F-Droid is reusing app ids for different apps, which is not supposed to be done, and causes conflicts, since apks are shared across profiles with the apps installed and key pinning / downgrade protection is applied globally.
Conversation
Replying to
Oh, 2 different problems. Which app ids are being reused? Like the play store version of the app and the f droid version have the same id?
1
Replying to
Yes, or the developer's variant of the app they published outside the Play Store. This is not supposed to be done when apps are different build variants or have different signing keys. The app id is supposed to be unique to each published build variant or you get conflicts.
1
Replying to
If you published 2 build variants of an app yourself with the same app id, then installing the 1st variant in one profile and then the 2nd variant in another would replace the 1st variant globally. App ids are meant to be globally unique identifiers for the build variant of apps.
1
2
Replying to
You are supposed to use a reverse domain name as the prefix of your app identifier. You are supposed to own that domain. If you fork / modify another project, you're supposed to change the app id to a reverse domain of a domain that you own. It's mostly an under the hood thing.
1
1
Replying to
It is user facing in several places. Play Store on the web shows it as the URL for the application page. Settings app shows the app id too. It's in multiple other places too, but it's mostly an under the hood unique identifier for an app. It's how the OS identifies app packages.
1
1
Replying to
If you try to install an older release of an app, meaning installing a package or set of package (split apks) with a lower versionCode and same app id, you get an error from the downgrade prevention which is both an important security and data corruption prevention feature.
1
1
Replying to
If you try to install an app with the same app id as one you have installed in any profile which has a mismatched signing key NOT authorized by the original key via a key rotation proof, you get a signature validation error explaining that the signing key is mismatched.
1
1
Replying to
Downgrade protection error could be improved by making it describe the specific problem. Signing key mismatch already has a specific error that's worded properly in AOSP but it's still confusing when you don't realize what F-Droid is doing and think devs publish their apps on it.
1
1
Replying to
The problem is that they are reusing the app id while using their own signing key for the app so it conflicts with the app from the developer across profiles. If they changed the app id to their own for their own builds as is intended none of that would be an issue.
Replying to
I thought that was determined by the dev who publishes the app on the store?
1
Replying to
Developers do not publish their apps on F-Droid. F-Droid publishes their builds of apps. You're confusing how the Play Store works with how F-Droid works.
1
1
Show replies