Essentially the apps have same package name but different signatures and the app store that installed it should be the only one to recognize and update it.

But Google is likely trying this dark pattern to sway people away from F-Droid or alt stores by making users uninstall these apps and install it from the Google Play Store.

It’s been going on for a while and is annoying af.

https://android.stackexchange.com/questions/253727/why-is-googles-play-store-suddenly-trying-to-update-apps-installed-via-f-droid

  • Martin
    link
    fedilink
    English
    arrow-up
    27
    arrow-down
    4
    ·
    9 months ago

    Mismatched signatures have been discouraged since day one of Android. A mismatched signature is a sign that some one other than the original publisher built this package, and the user needs to be aware that it might be malicious.

    That F-Droid went with this setup with mismatched signatures was always going to make their apks look suspicious.

    • NeatNit@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      10
      ·
      9 months ago

      You misunderstood the whole situation. The signatures are all fine. Google Play Store is trying to override an app installed from F-Droid. If the two stores had the same signature, the play store would be able to do this which would go completely counter to the user’s choice (they installed from F-Droid for a reason). It’s a good thing the signatures don’t match, there’s nothing suspicious about it.

      It used to be that the play store just wouldn’t show updates to apps that it wasn’t actually able to update. They broke this behaviour.

      • Norgur@fedia.io
        link
        fedilink
        arrow-up
        17
        arrow-down
        2
        ·
        9 months ago

        No, it’s not a good thing. The solution would be to use a different package name for the f droid version. That’s what’s supposed to be done. It’s not the signature or Google that’s causing the problem. It’s that there are two packages with identical names that should not be identical.

      • Martin
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        9 months ago

        The package name is the unique id. If you want to distribute multiple variants (like two versions with differing signatures) they should not have the same identifier. If they are not the same the id/package name should not be the same.

        Having different package names would also prevent the Google play store from trying to update it.