Essentially the apps have same package name but different signatures and the app store that installed it should be the only one to recognize and update it.

But Google is likely trying this dark pattern to sway people away from F-Droid or alt stores by making users uninstall these apps and install it from the Google Play Store.

It’s been going on for a while and is annoying af.

https://android.stackexchange.com/questions/253727/why-is-googles-play-store-suddenly-trying-to-update-apps-installed-via-f-droid

  • NeatNit@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    3
    ·
    8 months ago

    Maybe that’s true, but then:

    • They previously had code to prevent this, why did they remove it?
    • Why won’t they fix it now? I’ve reported this twice already and I’m not the only one, this is affecting a huge number of users, why are they ignoring it? I refuse to believe they’re not aware of it. And if they aren’t aware of it that points to an even bigger issue of having absolutely no idea the repercussions of that they do even when thousands/millions of users reach out to tell them.
    • Norgur@fedia.io
      link
      fedilink
      arrow-up
      7
      arrow-down
      1
      ·
      7 months ago

      I think you massively overestimate the amount of users that are a) affected by this b) reporting it When seeing the overall picture, this might mlbe a rather fringe issue in Google’s eyes.

      Furthermore, you might be exaggerating the impact as well. The “impact” is that an app update fails. That’s it. That might be annoying, but isn’t the grave and evil thing you make it out to be.

      Besides, have you ever thought about that this stems from a rather bad practice on F-Droid/app developer side? They use the same package name for a software with a different signature. That’s just not ideal to begin with. All packages with the same name should have the same signature for any given version of the package. That’s how security works. If they don’t follow that, how is a user/security software supposed to check if the signature is authentic or of the package was tampered with?

      • NeatNit@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        edit-2
        7 months ago

        AFAIK F-Droid allows using the same signing key as in PS. The choice is up to the developer. But as I said, if they use the same key then PS will overwrite the app, which is 100% unwanted behaviour.

        What do you suggest about package names? Do you think there should be org.wikipedia.playstore, org.wikipedia.fdroid, org.wikipedia.galaxystore to use a different package name per store? Or should just F-Droid get the special name?

        Do you think it’s okay when e.g. play store and galaxy store update apps installed by the other store? This happens with various apps, especially some Samsung and Microsoft apps. (Obviously only when using the same keys, but I think this is common practice)

        And specifically do you think that’s okay when F-Droid is thrown into the mix? I think absolutely not, especially since F-Droid often removes proprietary libraries, ads and tracking that are present in the other sources.

        Honestly I can warm up to the idea that F-Droid builds should have a unique package name (call it a flavour, even if it’s 1:1 with the play store release). But the Play Store and Galaxy Store overwriting each others’ apps already reeks of idiocy and bad design to me, and F-Droid has nothing to do with it.