How does Android update an app which is free if you get it via sideloading
but which is payware if you get it via a Google Play Store client instead?

In a recent thread by Carlos, a classic situation occurred, which is still
wending its way toward a solution but which I think happened like this:
*Gallery app*
<https://groups.google.com/g/comp.mobile.android/c/6ccoPgWOOmQ>

a. At some point long ago, (we assume) Carlos installed the free app
which goes by the unique name of <com.simplemobiletools.gallery.pro>.
<https://www.simplemobiletools.com/>

b. This same FOSS app is supplied on Google Play Store repository for a
fee, but it's free when obtained outside the Google Play Store.
<https://www.simplemobiletools.com/blog/trial-period>

c. Until Android 12, F-Droid didn't AUTOMATICALLY update the apps you
installed from it, but Carlos could have just downloaded the APK so
F-Droid wouldn't even _know_ (would it?) that he had installed it.
<https://f-droid.org/en/packages/com.simplemobiletools.gallery.pro/>

d. Even so, F-Droid always could _manually_ update any app it installed,
but you can download the APK _without_ using the F-Droid app at all.
<https://f-droid.org/repo/com.simplemobiletools.gallery.pro_385.apk>

e. We don't know exactly how Google updates apps, but certainly there's
a GUI that is on by default when you have the Google Play Store enabled.
<https://play.google.com/store/apps/details?id=com.simplemobiletools.gallery.pro>

f. We don't know how Carlos installed the app but if he installed it
outside the Google Play Store client, does the GPS client know that?

g. The reason I ask is that Carlos stated the app was updated, somehow,
to the payware version and he doesn't know how that could have happened.

h. The only two things I can think of that are different in the app is
there must be code inserted to check the payment and the signatures
are apparently different but otherwise, isn't the app exactly the
same on the Google Play Store repo as it is on the F-Droid repo?

In summary, how does Android update an app which is free if you get it via
sideloading but which is payware if you get it via the Google Play Store?

On Sat, 18 Mar 2023 02:54:21 +0000, Andy Burnelli <nospam@nospam.net>
wrote:

> How does Android update an app which is free if you get it via sideloading
> but which is payware if you get it via a Google Play Store client instead?
>
> In a recent thread by Carlos, a classic situation occurred, which is still
> wending its way toward a solution but which I think happened like this:
> *Gallery app*
> <https://groups.google.com/g/comp.mobile.android/c/6ccoPgWOOmQ>
>
> a. At some point long ago, (we assume) Carlos installed the free app
> which goes by the unique name of <com.simplemobiletools.gallery.pro>.
> <https://www.simplemobiletools.com/>
>
> b. This same FOSS app is supplied on Google Play Store repository for a
> fee, but it's free when obtained outside the Google Play Store.
> <https://www.simplemobiletools.com/blog/trial-period>
>
> c. Until Android 12, F-Droid didn't AUTOMATICALLY update the apps you
> installed from it, but Carlos could have just downloaded the APK so
> F-Droid wouldn't even _know_ (would it?) that he had installed it.
> <https://f-droid.org/en/packages/com.simplemobiletools.gallery.pro/>
>
> d. Even so, F-Droid always could _manually_ update any app it installed,
> but you can download the APK _without_ using the F-Droid app at all.
> <https://f-droid.org/repo/com.simplemobiletools.gallery.pro_385.apk>
>
> e. We don't know exactly how Google updates apps, but certainly there's
> a GUI that is on by default when you have the Google Play Store enabled.
> <https://play.google.com/store/apps/details?id=com.simplemobiletools.gallery.pro>
>
> f. We don't know how Carlos installed the app but if he installed it
> outside the Google Play Store client, does the GPS client know that?
>
> g. The reason I ask is that Carlos stated the app was updated, somehow,
> to the payware version and he doesn't know how that could have happened.
>
> h. The only two things I can think of that are different in the app is
> there must be code inserted to check the payment and the signatures
> are apparently different but otherwise, isn't the app exactly the
> same on the Google Play Store repo as it is on the F-Droid repo?
>
> In summary, how does Android update an app which is free if you get it via
> sideloading but which is payware if you get it via the Google Play Store?

from carlos

https://en.wikipedia.org/wiki/F-Droid

Key management

The Android operating system checks that updates are signed with the
same key, preventing others from distributing updates that are signed by
a different key.[51][52] Originally, the Google Play store required
applications to be signed by the developer of the application, while
F-Droid only allowed its own signing keys. So apps previously installed
from another source have to be reinstalled to receive updates.[53]

In September 2017 Google Play started offering developers a signing key
service managed by Google Play,[54] offering a similar service to what
F-Droid offered since 2011, and F-Droid now lets developers use their
own keys via the reproducible build process.[55]

On 2023-03-18 03:54, Andy Burnelli wrote:
> How does Android update an app which is free if you get it via sideloading
> but which is payware if you get it via a Google Play Store client instead?
>
> In a recent thread by Carlos, a classic situation occurred, which is still
> wending its way toward a solution but which I think happened like this:
> *Gallery app*
> <https://groups.google.com/g/comp.mobile.android/c/6ccoPgWOOmQ>
>
> a. At some point long ago, (we assume) Carlos installed the free app
>   which goes by the unique name of <com.simplemobiletools.gallery.pro>.
>   <https://www.simplemobiletools.com/>
>
> b. This same FOSS app is supplied on Google Play Store repository for a
>   fee, but it's free when obtained outside the Google Play Store.
>   <https://www.simplemobiletools.com/blog/trial-period>
>
> c. Until Android 12, F-Droid didn't AUTOMATICALLY update the apps you
> installed from it, but Carlos could have just downloaded the APK so
> F-Droid wouldn't even _know_ (would it?) that he had installed it.
>   <https://f-droid.org/en/packages/com.simplemobiletools.gallery.pro/>
>
> d. Even so, F-Droid always could _manually_ update any app it installed,
>   but you can download the APK _without_ using the F-Droid app at all.
>   <https://f-droid.org/repo/com.simplemobiletools.gallery.pro_385.apk>
>
> e. We don't know exactly how Google updates apps, but certainly there's
>   a GUI that is on by default when you have the Google Play Store enabled.
>
> <https://play.google.com/store/apps/details?id=com.simplemobiletools.gallery.pro>
>
> f. We don't know how Carlos installed the app but if he installed it
> outside the Google Play Store client, does the GPS client know that?

I installed it the normal way, ie, using the Google Play app.

> g. The reason I ask is that Carlos stated the app was updated, somehow,
>   to the payware version and he doesn't know how that could have happened.

No, it was a normal automatic update of the normal, non pay version of
the app. A typical automatic update, as is the default on Android. This
update changed the app from being free for ever to be trialware. It
simply stops working after 15 days and asks the user to pay for the -pro
version instead. Any road, at this moment you have to remove the normal
version, and install, or not, the pro version.

> h. The only two things I can think of that are different in the app is
>   there must be code inserted to check the payment

No, see above.

> and the signatures
> are apparently different but otherwise, isn't the app exactly the
>   same on the Google Play Store repo as it is on the F-Droid repo?

No, they are not exactly the same. The version in F-droid is,
apparently, the pro version. We don't know for sure what differences
they may have as nobody has the pro version from google play to check.

>
> In summary, how does Android update an app which is free if you get it via
> sideloading but which is payware if you get it via the Google Play Store?

Google Play can not update applications installed via F-droid, nor the
other way round. See the wikipedia excerpt.

--
Cheers, Carlos.

Carlos E.R. wrote:

>> g. The reason I ask is that Carlos stated the app was updated, somehow,
>> � to the payware version and he doesn't know how that could have happened.
>
> No, it was a normal automatic update of the normal, non pay version of
> the app. A typical automatic update, as is the default on Android. This
> update changed the app from being free for ever to be trialware. It
> simply stops working after 15 days and asks the user to pay for the -pro
> version instead. Any road, at this moment you have to remove the normal
> version, and install, or not, the pro version.

Hi Carlos,

Yeah. I know that now. Thanks for unearthing that brand new peculiarity.

I had never suspected it since I've been using that free pro gallery app
for years and it didn't do it to me. I am one of the folks who promoted
that company years ago on this newsgroup, so I'm embarrassed it did that.

But then I looked it up and you're correct.
It's not intuitive. But it happened. And it happened to you.

To get more data, I ran a test of the signature of the F-Droid app for you.
<https://i.postimg.cc/9QTHSpYH/signature01.jpg> SMT Gallery v 6.164 Pro
<https://i.postimg.cc/SsLsh4Lq/signature02.jpg> Signed by FDroid

>> h. The only two things I can think of that are different in the app is
>> � there must be code inserted to check the payment
>
> No, see above.

None of us could have seen it coming since it's not a normal thing.
<https://www.simplemobiletools.com/blog/trial-period>

Worse, most of us got our Simple Mobile Tools off of F-Droid, where it
didn't happen to us so it only happened to those who got them from Google
Play Store (I think).

I never use the Google Play Store app (I don't even have it enabled), and I
rarely use the F-Droid store either (as I don't need either one of them).

So while I use almost every simplemobiletool app, I wouldn't have seen what
you saw so I'm glad you brought it up to the newsgroup so we all learn.

>> and the signatures
>> are apparently different but otherwise, isn't the app exactly the
>> � same on the Google Play Store repo as it is on the F-Droid repo?
>
> No, they are not exactly the same. The version in F-droid is,
> apparently, the pro version. We don't know for sure what differences
> they may have as nobody has the pro version from google play to check.

I have the pro version from the F-Droid repository (which I downloaded
direction from Windows, not using the F-Droid app) so I can only say what
it does not do what the Google Play Version did to you (not yet anyway).

However.... it has been my experience that the apps with the same name (the
same exact unique name I'm talking about) have the same functionality; but
it could be that with this app, that may not be the case.

As you said, we'd have to ask someone who knows the difference as neither
one of us has the pro version from the Google Play Store repository.
>> In summary, how does Android update an app which is free if you get it via
>> sideloading but which is payware if you get it via the Google Play Store?
>
> Google Play can not update applications installed via F-droid, nor the
> other way round. See the wikipedia excerpt.

Yeah, I'm glad you unearthed that Simple Mobile Tools retired some of their
free apps on Google Play by "offering" a free (mandatory) trial period.

I had always had minor problems when trying to update apps which were on
both respositories that I didn't bother researching because I could always
delete the apps and then re-install them with the latest version.

It turns out, I think, that things have changed over time, but what you
found seems to show that at this time, there's the following to consider.

1. The "free" package on F-Droid (which is every package on F-Droid)
must never cost money & must not have adds (but I'm not sure about
containing in-app purchases) while free apps on Google Play Store can.

2. The packages on F-Droid, since 2011, have been signed either by F-Droid
or by the developer - and hence can only be updated with another app
which is also signed either by F-Droid or by the developer.

3. The packages on the Google Play Store repository, since 2017, have been
signed either by Google or by the developer - and hence can only be
updated with another app which is also signed either by Google or
by the developer

That leaves a whole bunch of minor questions, like whether or not an
F-Droid package signed by the developer has the same signature as the same
Google Play Store package signed by that same developer.

Of course I could check, as most app managers provide the signature,
but I had never really delved into signatures before but I did for you.
<https://i.postimg.cc/9QTHSpYH/signature01.jpg> SMT Gallery v6.164 Pro
<https://i.postimg.cc/SsLsh4Lq/signature02.jpg> Signed by FDroid

Since I'm all about pitching in to help the team, I just created those
screenshots showing that the signature for the F-Droid SimpleMobileTool's
Gallery version 6.16.4 (323) package is signed by "FDROID" for sure.

Someone with the Google Play Version can just as easily check if the
signature is signed by Google or by the developer for that pro package.
--
Posted out of the goodness of my heart to disseminate useful information
which, in this case, is to learn together more about package signatures.

JAB wrote:

> In September 2017 Google Play started offering developers a signing key
> service managed by Google Play,[54] offering a similar service to what
> F-Droid offered since 2011, and F-Droid now lets developers use their
> own keys via the reproducible build process.[55]

When needed, we know unequivocally who signed the certificate using this:
*App Manager* - Android package manager by Muntashir Akon
A full-featured open source package manager for android.
<https://f-droid.org/packages/io.github.muntashirakon.AppManager/>
<https://github.com/MuntashirAkon/AppManager>
<https://muntashirakon.github.io/AppManager/en/>

In addition, I noticed we covered the topic of Google Play Updates here:
*Google Play update all apps*
<https://groups.google.com/g/comp.mobile.android/c/48Qs2nHV5Io>

Where the main thing I'll say here is nothing with respect to Android
updates works the way anyone would intuitively think it would work.

Andy Burns and I tested this thoroughly, in fact, and the way Android
updates the various layers and apps is decidedly NOT intuitive.

So if you guess... you _always guess wrong_ because it just doesn't work
the way you think it works (as can be seen somewhat with these images).
<https://i.postimg.cc/HsXKj7WK/updateallapps01.jpg> Doesn't update all!
<https://i.postimg.cc/4djB69pr/updateallapps02.jpg> Independent of GPS
<https://i.postimg.cc/02xKj04h/updateallapps03.jpg> Only updates SOME!
<https://i.postimg.cc/3xxyCJYB/updateallapps04.jpg> Only updates GOOGLE!
<https://i.postimg.cc/kgBB3mq0/updateallapps05.jpg> Use dedicated updaters
<https://i.postimg.cc/fy8TpHFW/updateallapps06.jpg> Some are really good
<https://i.postimg.cc/pLwVw50j/updateallapps07.jpg> No need for a sign in
<https://i.postimg.cc/BZMzpG4C/updateallapps08.jpg> Works even if disabled
<https://i.postimg.cc/g0jQBKrs/updateallapps09.jpg> GPServices vs GPStore
<https://i.postimg.cc/qqVFqVwD/updateallapps10.jpg> Update different stuff
<https://i.postimg.cc/4ymqRF7n/updateallapps11.jpg> e.g., GPSystem version
--
Posted out of the goodness of my heart to disseminate useful information
which, in this case, is to explain anyone who guesses will always be wrong.