android事件薄－不能安装APK的一种原因

1，环境 事件
OS:ubuntu 9.04
eclipse:3.4.0
android API:1.5

一个app，在api 1.6的 AVD上跑没事，换到1.5的AVD上就不能安装上去了。

2，Log

console:
[2010-04-22 11:46:01 - AppStore] Installation error: INSTALL_FAILED_UPDATE_INCOMPATIBLE
[2010-04-22 11:46:01 - AppStore] Please check logcat output for more details.
[2010-04-22 11:46:01 - AppStore] Launch canceled!

DDMS.logcat:
04-22 03:45:54.835: ERROR/PackageManager(577): Package com.thunderst.android.appstore has no signatures that match those in shared user com.xxx.android.yyy; ignoring!
04-22 03:45:54.835: WARN/PackageManager(577): Package couldn't be installed in /data/app/com.xxx.android.yyy.apk


3,解决
涉及到2个关键词：signatures ，shared user

从INSTALL_FAILED_UPDATE_INCOMPATIBLE 和 signatures 判断可能是重复装载apk的问题，站内 http://xusaomaiss.iteye.com/blog/393296提了解决办法。

当然，不是这个原因。

焦点集中在shared user

后来在manifest.xml中找到
android:sharedUserId="com.xxx.android.yyy"
这么一个配置，就是它在捣乱！

在后来发现这个是android1.5R1的一个bug,已经在之后的版本中被修复了。

------

#2009-006 Android improper package verification when using shared uids

Description:

Android, an open source mobile phone platform, improperly checks developer certificates when installing packages that request the shared user identifier (uid) permission.

Normally, Android applications will be allowed to share a uid if the packages are all signed by the same developer certificate and request permission to do so at install-time. This allows for packages from the same author to share data. Without enforcement of that behavior, it is possible for any application to be installed in such a manner that it gains access to another (existing) application's data.

A patch has been made available by Android.

Affected version:

Android >= 1.5 CRB17 <= 1.5 CRB42

Fixed version:

Android >= 1.5 CRB43

(Android 1.0 and 1.1 are unaffected.)

Credit: Panasonic

CVE: CVE-2009-1754
Timeline:

2009-05-14: Panasonic reported the issue to the Android Security Team
2009-05-18: Android Security Team requested assistance from oCERT
2009-05-19: oCERT requested CVE assignment
2009-05-22: CVE assigned
2009-05-22: advisory release

References:
Patch

Permalink:
http://www.ocert.org/advisories/ocert-2009-006.html