I want to access the apk file of any app before installation.
In more details: in google play store when the user clicks on Install button I want my application to access the apk file of the application that the user wants to download, and analyze this apk file and be able to whether allow the installation or stop it.
is that possible and if so how to approach this
On Android this functionality was introduced in Android 4.2. It is usually used by anti-malware products like Google Play Protect is known as a "Package Verifier". There is a good blog post on it here.
The short answer is this has to be done as part of the phone manufacturing process as it is so critical to security. So the answer is it can be done, but if you write this code you will need to get a phone manufacturer to include your code as part of a phone system image.
Most third party anti-malware products instead rely on analyzing the APK after the install happens by listening to the package added notification.
Definitely not possible in the way that you want. Android's OS is pretty well locked down. You might be able to do something if the device was rooted but at that point you may as well write your own OS fork. You can attempt to do someting with https://developer.android.com/reference/android/content/Intent.html#ACTION_PACKAGE_ADDED broadcast but you will not be able to analyze the apk freely nor will you be able to stop the installation of it.
Related
is it possible to create an android application that is meant only for internal use? Basically a private application not meant to be installed by non-approved phones?
If so what is the basic process of deployment? How do you get the app on the employees phone's?
thanks!
The easiest way is to email it to them. Any email with an .apk attachment will get an "Install" button that you can tap to install the app.
Installing from non-market sources needs to be enabled -- which is a bit of a security risk -- but the user will be prompted to turn that on if they need to, and even given a button that will take them right to the appropriate settings page. The whole process is really quite slick. :)
Alternatively, you can copy it to the phone (e.g. after connecting the phone in USB storage mode) and then use a file system app to locate the file and install it.
Emailing it is the easiest way, however.
Edit: I'm assuming you meant private as in "only sent to certain individuals" and you're not actually looking for a method that will prevent the apps from being run on non-approved devices should they end up on one.
There's a proper way to do it now: Google Play Private Channel for Google Apps. You publish app on Private Channel and then send invitations to users. It won't be seen by other users of Google Play.
Option 1
Using Google Play Private Channel is probably the best way, but is useful only for Google Apps users.
Option 2
You can use new Developer dashboard options that let your app be in Alpha or beta phase and is available to only selected google accounts (using groups or google plus circles). Your app can stay in beta indefinitely so not become visible to other users. if you like this method you can also use services like TestFlight.
Option 3
Mail distribution is also ok it's even mentioned in documentation which I find a little bit odd, but I would advise you to use some file storage like Dropbox and just distribute the link to selected people.
Two major ways:
You can either use the non-market application installation method, or adb from a connected PC to install an apk which you distribute as a bare file. The downside is that anyone in possession of the apk can install your application.
Alternatively, you can distribute the application through the android market, but make it require an account on a server you control in order to do anything useful. The upside is that possession of the apk doesn't get an unauthorized user much; the downside is negative ratings from confused randoms, and that you've made your apk very available for interested parties to know about and decompile. (There is or was also a way to put an app on the market but not list it so it was only accessible via a full url, however don't rely on that)
Yes. As of right now I use such a method, I have to manually load the app on the phone, however other techniques can be used. Once loaded the app checks the main server to see if it is up to date. If it is not, it downloads and installs the new version of itself.
If you go to your eclipse workspace and go to yours app's folder, in the bin folder assuming you develop with eclipse, you will find a .apk file somewhere in there. Copy it to the phone and then use something like EZ File Explorer (or something like that) to access your android filesystem, click on the .apk and it will install and be ready to use.
My question may look strange but I'll try to explain somehow. Let's imagine there is an Android device with software that adjusts some settings based on application package name - it's a real-life scenario. This software may provide better performance for listed applications and there is no way to add my application to that list. What I'm capable of doing is to release my application under one of listed package names (not to Google Play, just provide APK on GitHub so that anyone who wants to use it will install it manually). And there comes my question:
is it legal to use some company's existing package name for my own application? Is it protected legally? My app is free & open source application.
Just to be clear: I'm not doing this to impersonate "real" application with bad intentions. I just want my application to use full range of device capabilities... And download page will state it clearly & visibly :)
In other words: can I release app with package name e.g. com.google.android.talk? I know that it won't override existing app if someone has it installed etc. (it's not my goal to override some application). I'm just talking about such possibility and legality.
This is totally legal, as you can use whatever String you want for your app/package name.
However, just doing this will most probably be not enough to "impersonate" the other app, as this would be a serious security flaw. First of all, there can never be two apps with the same package name installed.
If the app you speak about is created by a "serious" developer, say Google or one of the OEMs, it will check both package and signature of the app and will therefore know your app is not the same as the replaced app.
Also, when the user tries to install your app, a package conflict will happen, followed by the signature conflict. There are two scenarios here:
If the app you are replacing is a standard app, the user will be able to install your app from adb, but only after thay accept to completely wipe the data of the original app. You have probably seen this dialog while developing stuff.
If the app is provided by the OEM and has system permissions, the installation will simply fail, with no possibility to "overwrite" the app. This can be dodged by having the devices rooted, replacing the .apk file in the system directory and restarting the phone.
Please mind that none of the above will work by just uploading the .apk to the phone. This needs to be done from adb. On-phone installer will just fail.
My application will be running on hundreds of android devices belonging to a single owner and I may need to modify the software as an update at some point.
I decided I should include a feature to check with the server for updates and download them, which is currently working.
Installing the update is the difficult part. I need it done automatically. Preferably with no user interaction since there are hundreds of devices and it would be very time consuming to do each one manually.
This is the problem, even with the device rooted, I can not find a generic way that each device can install the update without system specific information.
I have read questions like this but can not find a proper answer: Install Android APK without prompt
The bottom answer executes but I can find no installed app, so I assume it failed.
What you want to do is not possible without some serious hacks. A private app store might be a better fit.
If your client is a Google Apps user, you can create a private channel in the Play Store.
Distribute Android apps in your organization
If not, you will have to rely on third party solution like these one:
Apperian Mobile Application Management
ManageEngine Mobile Device Manager
I didn't try any of these, so you will have to do some research to check that they fit your needs
I'm currently developing a small Android app that will not be on the Play Store. It is a private business application that will be used for a non-emergency transport company. The Android app will show drivers a list of pickups and drop-offs that they will have throughout the day and allow them to update the status of those trips. What I'd like to do is have some method of updating the app during off hours or when the device is idle. Ideally, it would be great if someone has already written some kind of Android updater that can run as a service. However, I certainly wouldn't mind writing this on my own.
Either way, all it needs to do is pull an APK from our servers and install that APK. I usually don't like doing things sneaky like this, but our clients want it to be this way so that they won't have to go to each device and press OK on permission prompts and they don't want to leave the responsibility of updating the software to the drivers.
I understand the security concerns, but it seems to me that there should be some way to allow an app to auto-update itself if the user permits it. Also, our app is signed and includes a certificate on the device to verify that the downloaded app is legit.
As CommonsWare mentioned it's not supported by standard android. If you take the path of creating your own firmware and installer take a look at the existing PackageInstaller. The required changes are not so complicated.
I did it for a couple of custom versions and it works.
Either way, all it needs to do is pull an APK from our servers and install that APK. I usually don't like doing things sneaky like this, but our clients want it to be this way so that they won't have to go to each device and press OK on permission prompts and they don't want to leave the responsibility of updating the software to the drivers.
This is not possible, except via custom firmware or on a rooted device.
it seems to me that there should be some way to allow an app to auto-update itself if the user permits it.
You are welcome to build your own customized version of Android that has this capability. Stock Android does not offer this, except to the firmware itself.
is it possible to create an android application that is meant only for internal use? Basically a private application not meant to be installed by non-approved phones?
If so what is the basic process of deployment? How do you get the app on the employees phone's?
thanks!
The easiest way is to email it to them. Any email with an .apk attachment will get an "Install" button that you can tap to install the app.
Installing from non-market sources needs to be enabled -- which is a bit of a security risk -- but the user will be prompted to turn that on if they need to, and even given a button that will take them right to the appropriate settings page. The whole process is really quite slick. :)
Alternatively, you can copy it to the phone (e.g. after connecting the phone in USB storage mode) and then use a file system app to locate the file and install it.
Emailing it is the easiest way, however.
Edit: I'm assuming you meant private as in "only sent to certain individuals" and you're not actually looking for a method that will prevent the apps from being run on non-approved devices should they end up on one.
There's a proper way to do it now: Google Play Private Channel for Google Apps. You publish app on Private Channel and then send invitations to users. It won't be seen by other users of Google Play.
Option 1
Using Google Play Private Channel is probably the best way, but is useful only for Google Apps users.
Option 2
You can use new Developer dashboard options that let your app be in Alpha or beta phase and is available to only selected google accounts (using groups or google plus circles). Your app can stay in beta indefinitely so not become visible to other users. if you like this method you can also use services like TestFlight.
Option 3
Mail distribution is also ok it's even mentioned in documentation which I find a little bit odd, but I would advise you to use some file storage like Dropbox and just distribute the link to selected people.
Two major ways:
You can either use the non-market application installation method, or adb from a connected PC to install an apk which you distribute as a bare file. The downside is that anyone in possession of the apk can install your application.
Alternatively, you can distribute the application through the android market, but make it require an account on a server you control in order to do anything useful. The upside is that possession of the apk doesn't get an unauthorized user much; the downside is negative ratings from confused randoms, and that you've made your apk very available for interested parties to know about and decompile. (There is or was also a way to put an app on the market but not list it so it was only accessible via a full url, however don't rely on that)
Yes. As of right now I use such a method, I have to manually load the app on the phone, however other techniques can be used. Once loaded the app checks the main server to see if it is up to date. If it is not, it downloads and installs the new version of itself.
If you go to your eclipse workspace and go to yours app's folder, in the bin folder assuming you develop with eclipse, you will find a .apk file somewhere in there. Copy it to the phone and then use something like EZ File Explorer (or something like that) to access your android filesystem, click on the .apk and it will install and be ready to use.