I am trying to customize Android for a media device. We got the firmware from the manufacturer and it's based on Android 7 with minor modifications.
One of the things we would like to do is to restrict installation of apps on the device to certain apps only. We won't install any app store like Google Play on the device. We will build the firmware and install all apps onto the devices at our workshops and deliver to the customers. In future, we may want to install more apps on the devices via OTA or some mechanisms.
We would like to disallow customers sideloading other apps via USB port. We created a file (eg., whitelisted_apps.txt) that has the list of all approved app names, such as -
com.mycompany.android.app1
com.mycompany.android.app2
com.ourpartner.android.appx
We tweaked the PackageInstaller app of AOSP so that when a *.APK file is opened via the file browser and when the methods in PackageInstallerActivity.java are called, it will compare the name of the app to be installed against those in whitelisted_apps.txt and if the name is not found, disallow installation of the new app. It's working.
Now, we want to improve it further because whitelisted_apps.txt can be manipulated. Some people suggest using sqlite to keep the list. We are not sure if it will be the best solution.
Some suggest using certificates and signing and we think it's a better solution than others. We will sign all the apps we want to install on the device with our key. When a *.APK file is sideloaded, the PackageInstaller will get the signature of the APK and compare against ours. If they match, the app can be sideloaded.
We followed this excellent resource: SignatureCheck.java. It's working with the hardcoded APP_SIGNATURE. We have this currently:
public boolean validateAppSignature() throws NameNotFoundException {
boolean sigMatch = false;
String APP_SIGNATURE = "123456784658923C4192E61B16999";
PackageInfo packageInfo3 = mPm.getPackageInfo(
getPackageName(), PackageManager.GET_SIGNATURES);
try {
for (Signature signature : packageInfo3.signatures) {
// SHA1 the signature
String sha1 = getSHA1(signature.toByteArray());
Log.i(TAG, "got this SHA1 of the signature ... "+sha1);
// check if it matches hardcoded value
sigMatch = APP_SIGNATURE.equals(sha1);
if (sigMatch){
return sigMatch;
}
}
} catch (Exception e) {
e.printStackTrace();
}
return false;
}
Just that we don't know how to do that in a real world situation. When we build, install apps or release with OTA, we sign those apps with our private key and then on the device (PackageInstaller app), we hardcode our certificate's SHA1 signature as APP_SIGNATURE so that we can compare? Any other ideas?
Thank you so much.
Seems like you're trying way too hard to partially shut down sideloading. Use a Device Owner to completely turn off installation, and just preload the apps you want. Or make it so the only app that can install is your own downloader that only looks at your server.
Related
I want to use google translate offline lang.packs. But it has to be a diff. app with a diff. icon.
My app has to work completely offline. Google translate does work offline if the packs are on the phone. But the packs are not available as standalone or in API format!
I do know from another answer that the lang packs and the neural model is a major value of the company. So they dont want to give it away for free to devs as API.
Training my own neural model with libs like TensorFlow is daunting task. I want to reuse existing libraries\apps
Based on Google Play Privacy Policy Hiding an App within another App Without User's Knowledge is Considered as a Malicious Behavior.
The following are explicitly prohibited:
Viruses, trojan horses, malware, spyware or any other malicious
software. Apps that link to or facilitate the distribution or
installation of malicious software.
Apps or SDKs that download executable code, such as dex files or
native code, from a source other than Google Play.
Apps that introduce or exploit security vulnerabilities.
Apps that steal a user’s authentication information (such as
usernames or passwords) or that mimic other apps or websites to trick
users into disclosing personal or authentication information.
Apps that install other apps on a device without the user’s prior
consent.
Apps designed to secretly collect device usage, such as commercial
spyware apps.
Here are my Suggestions.
Suggestion 1 : Recommended Way
Check Weather the Required Applications are Installed / Not in User Mobile
try {
context.getPackageManager().getApplicationInfo(packageName, 0);
return true; //Application Installed
}
catch (PackageManager.NameNotFoundException e) {
return false; //Application Not Installed
}
If not Redirect them to the PlayStore (Originally Answered Here)
final String appPackageName = getPackageName(); // getPackageName()
from Context or Activity object try {
startActivity(new Intent(Intent.ACTION_VIEW, Uri.parse("market://details?id=" + appPackageName))); } catch
(android.content.ActivityNotFoundException anfe) {
startActivity(new Intent(Intent.ACTION_VIEW, Uri.parse("https://play.google.com/store/apps/details?id=" +
appPackageName))); }
Suggestion 2 : If You wish to Distribute the Application offline(Not through PlayStore) Then
Append the Required Apk Files in Assets folder of the Main Application
Do the same Check Like in Suggestion 1. But Instead of Redirecting to PlayStore, Launch the Package Installer for the Apk in Assets Folder.
I have done a Demo Project for this scenario . Please Check it for More Reference
I've created an android application, and also a paid key-application that can open some features in the regular application.
I tried to use this code to check if the paid key is installed:
protected static boolean isProInstalled(Context context) {
PackageManager manager = context.getPackageManager();
if (manager.checkSignatures(context.getPackageName(), "com.myapps.appkey")
== PackageManager.SIGNATURE_MATCH) {
//Pro key installed, and signatures match
return true;
}
return false;
}
It worked on my phone when I installed the two APKs that I exported from Eclipse (I think I exported them. Maybe it was directly with "run"/"debug". I can't remember). But when I uploaded them to Google Play - I got a message from a user that said that he bought the key but the features are still blocked.
Is there something I do wrong? What are those signatures anyway? Does it have anything with the alias and keystore when I export the APKs?
The debug key is the default used when you run from the IDE, so while testing, they both were using the same key. But you signed them with different keys for the store, so the signatures won't match.
As #NobuGames mentioned in the comments, at this point since you already published both apps, you can update the free one to check for the key hash of the paid app using a hard-coded string. This theoretically might make it easier for someone to make a premium-unlocked pirate version of your app, although if they are digging into your source code that far, I suspect they would have succeeded anyway. Think of that as a good problem to have (popular enough app for pirates to spend that much time hacking on yours).
Working with Lollipop, I have a device-owner app that is installed with NFC at provision time.
What I need now is to handle automatic updates for my App, from Google Play to rely on the standard Android App update system...
So far I can imagine 2 ways to get this done, but don't know how to handle any of them :
in my NFC install constant EXTRA PROVISIONING DEVICE ADMIN PACKAGE
DOWNLOAD LOCATION install the App directly from the Play Store instead of the url on my own dev server. However
this constant need to handle the url of an apk file, and I did not find any
official way to get apk install direct from Play Store ? (as it will
be a production App in the future I'm not interested in hacks)
keep installing the apk from the dev server, but then allow the App
to update itself with its little brother located on the Play Store
with the same package name. To say it an other way: Would this be possible to install a v1 apk from a custom location, then put a v2 on the PlayStore... and let the magic come true ?
I'd be glad to hear if anyone could share experience about such procedures. Thanks for reading!
EDIT after #Stephan Branczyk suggestion I could make some more testing, here is what I did and the results:
1 - In the NFC provisioning I replaced the apk url with
snep://my.app.packagename without luck ; it just gives an error
without much explanation.
2 - I replaced this url by such a PlayStore link :
https://play.google.com/store/apps/details?id=my.app.packagename but
it gives a checksum error whether I use the checksum locally
computed, or the checksum given on the GooglePlay apk details. It looks not so far from the goal but I could not make it work.
3 - Finally I came back on my first solution, a self-hosted apk
versioned 1... but this time I tried to put on the PlayStore a newer
version 2 of the app with the exact same packagename... That led me
to strange things:
At first my App did not appear anywhere in the local PlayStore App,
but when I searched for it in Google Play, it showed up with the green
"installed" badge, and it proposed me to make an update... So did I.
Then, after this first manual update, the App is in v2, nice, and
better: it appears well listed in my PlayStore.
Optimistically, I uploaded a v3 of the App... just to see if my
PlayStore would automatically update my app (as is does for all the
other ones), but sadly no luck : even if my app is still listed in the
playstore, and proposing the "update" button... it never
updates by itself as it should ; I still need to click on it manually.
Isn't it a strange behavior ? If some have ideas about it, I would really need to be able to rely on the Play Store functionalities but so far no luck, and I cannot believe that Device-Owner app distribution is not compatible with PlayStore ?
Just in case, FYI here is the kind of provisioning code I'm using:
try {
Properties p = new Properties();
p.setProperty(
DevicePolicyManager.EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME,
"my.app.packagename");
p.setProperty(
DevicePolicyManager.EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION,
"http://www.example.com/myDeviceOwnerApp.apk");
p.setProperty(
DevicePolicyManager.EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM,
"U55o3fO0cXQtUoQCbQEO9c_gKrs");
ByteArrayOutputStream bos = new ByteArrayOutputStream();
OutputStream out = new ObjectOutputStream(bos);
p.store(out, "");
final byte[] bytes = bos.toByteArray();
NdefMessage msg = new NdefMessage(NdefRecord.createMime(
DevicePolicyManager.MIME_TYPE_PROVISIONING_NFC, bytes));
return msg;
} catch (Exception e) {
throw new RuntimeException(e);
}
Write your package name as an AAR record in the tag.
To confirm that this functionality works, use this app to write the tag with.
You need to set Base64 encoded SHA1 or SHA256 (from M forward) of the apk in the
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
field when provisioning through NFC otherwise the provisioned device will not accept the URL for download.
Also see this answer for properly encoding the checksum.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Supporting Amazon and Android market links inside application
I was wondering if and how you could differentiate between an Amazon App Store installed app and one installed from the Market.
For example, say I have my app called "Example App", and I want to develop for Amazon and the Market. In the app I have links to rate Example App. I also have a link to buy Example App Pro. This poses a problem because Amazon will not release my app if it links to a different App store.
This requires me to make 2 APK files, which is a pain. It only takes about 30 seconds extra to export both, but it creates extra clutter and testing time.
So has anyone found a way to make a single APK that can be uploaded to both Amazon and Android Market without making any changes between the two so that at run time I can check whether it's the Amazon or the Market that installed it and change the links accordingly?
Edit: At the time of this post, I wasn't aware of it, but there does exist getInstallerPackageName() but I'm not sure how reliable that is. I'm also not sure what it returns for Amazon / Market, etc. It might be worth looking at, but if it doesn't work, then the below method works for Google vs Amazon.
You will have to sign the application as normal, run on your test device, get the value of sig.hashCode() from your logs, then replace -1545485543 with whatever value you got for sig.hashCode() then export and sign again (WITH THE SAME KEY AS BEFORE) and then upload to Amazon and Market both - from the same APK.
Do it:
public static boolean isMarket(Context context){
boolean isMarketSig = false;
int currentSig = 1; // I just set this to 1 to avoid any exceptions later on.
try {
Signature[] sigs = context.getPackageManager().getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES).signatures;
for (Signature sig : sigs)
{
currentSig = sig.hashCode();
Log.i("MyApp", "Signature hashcode : " + sig.hashCode());
// This Log is for first time testing so you can find out what the int value of your signature is.
}
} catch (Exception e){
e.printStackTrace();
}
//-1545485543 was the int I got from the log line above, so I compare the current signature hashCode value with that value to determine if it's market or not.
if (currentSig==-1545485543){
isMarketSig = true;
} else {
isMarketSig = false;
}
return isMarketSig;
}
public static void openStore(Context context){
if (isMarket(context)){
Intent goToMarket = new Intent(Intent.ACTION_VIEW,Uri.parse("market://d" +
"etails?id=com.jakar.myapp"));
goToMarket.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
context.startActivity(goToMarket);
} else {
Intent goToAppstore = new Intent(Intent.ACTION_VIEW,Uri.parse("http://www.amazon.com/gp/mas/dl/andro" +
"id?p=com.jakar.myapp"));
goToAppstore.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
context.startActivity(goToAppstore);
}
}
Basically, the hashCode() that you get from the app installed on your testing device will be the same one from the market. The hash code from the app store will be different because according to https://developer.amazon.com/help/faq.html, the app store signs the application with a signature specific to your developer account, so that will return a different value that what you actually signed it with.
And I put the isMarket and openStore methods in a different class called OtherClass so that I only have to code it once. Then from any activity where I need to open the proper link, I just call OtherClass.openStore(context);
Note: It works to open the market successfully, but I haven't yet deployed this method on the App Store, so I haven't completely tested it. I am confident it will work, but can make no guarantees, so if you use what I've suggested and it fails, please don't hold me accountable.
This was a big help in coming up with an answer so I could test which signature was being used.
So one of my applications was rejected from the Amazon app store today. The reason was because inside my app, I linked to the paid version of the app on the Android market. Disappointing, but whatever, I guess everyone wants their cut...
So now I'm left having to modify the application to change the Android market link to an Amazon app store link. Not really a big deal except for now if I do that I'm left with a discrepancy when I want to upload a newer version back to the Android market. After all, it would be rather dumb to link someone to the Amazon app store if they purchase the app from the Android market.
Now we all know that it is a pain supporting/managing multiple versions of the same app. Consequently my question becomes how can I link to both at the same time? Is there a way to tell where an app was downloaded from so I can code both links into the app and thus point the user automatically to one or the other? Secondly, is it against the Amazon TOS to give the user a choice (say I pop up a dialog instead and ask the user where to download from)?
Thanks all.
Edit: Direct from Amazon customer service "Re: Link to both markets" (I wish the approval process was as fast as these guys):
For the time being, we need any
linking to point back to the Amazon
Appstore only for market links.
Linking to your website is allowed,
just not other markets.
When pointing to other apps from
within your app, including up-sells,
completion of purchase must be from
the Amazon Appstore.
Good news! Apparently the latest version of the Amazon store finally sets PackageManager.getInstallerPackageName() to "com.amazon.venezia" to contrast with Google Play's "com.android.vending". This will be the easiest way to determine if your app is sideloaded, installed from Amazon, or installed from Google.
Here's what you can do:
Complete the preparation and signing of your application.
Install it on your test device
Use PackageManager.getPackageInfo
How to do this:
public static boolean isMarket(Context context){
boolean isMarketSig = false;
int currentSig = 1;
try {
Signature[] sigs = context.getPackageManager().getPackageInfo(context.getPackageName(), PackageManager.GET_SIGNATURES).signatures;
for (Signature sig : sigs)
{
currentSig = sig.hashCode();
Log.i("MyApp", "Signature hashcode : " + sig.hashCode());
// This Log is for first time testing so you can find out what the int value of your signature is.
}
} catch (Exception e){
e.printStackTrace();
}
//-1545485543 was the int I got from the log line above, so I compare the current signature hashCode value with that value to determine if it's market or not.
if (currentSig==-1545485543){
isMarketSig = true;
} else {
isMarketSig = false;
}
return isMarketSig;
}
public static void openStore(Context context){
if (isMarket(context)){
Intent goToMarket = new Intent(Intent.ACTION_VIEW,Uri.parse("market://d" +
"etails?id=com.jakar.myapp"));
goToMarket.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
context.startActivity(goToMarket);
} else {
Intent goToAppstore = new Intent(Intent.ACTION_VIEW,Uri.parse("http://www.amazon.com/gp/mas/dl/andro" +
"id?p=com.jakar.myapp"));
goToAppstore.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
context.startActivity(goToAppstore);
}
}
Basically, the hashCode() that you get from the app installed on your testing device will be the same one from the market. The hash code from the app store will be different because according to https://developer.amazon.com/help/faq.html, the app store signs the application with a signature specific to your developer account, so that will return a different value that what you actually signed it with.
Note: It works to open the market successfully, but I haven't yet deployed this method on the App Store, so I haven't completely tested it. I am confident it will work, but can make no guarantees, so if you use what I've suggested and it fails, please don't hold me accountable.
You can do the following things:
Check if the device based on its Manufacturer.
For ex: https://developer.amazon.com/sdk/fire/specifications.html
For writing reviews and opening the Amazon App Store use the following intent
amzn://apps/android?p=package_name
where p=Link to the detail page for a specific package name.
Ref: Amazon developer link.
https://developer.amazon.com/sdk/in-app-purchasing/sample-code/deeplink.html
As you said, you could use a boolean and then be forced to build your apps twice, so I bevelive it's not the best way.
The best way is to check if android market is installed and act accordingly: here.
Another even more complex way is to query the name of the installer of your app, using PackageManager.getInstallerPackageName. This needs extra work since the app can be installed by parallel markets even if you are on android device with android market installed, and also you must check if it's installed as debug/development (installer package name is null in this case).
What a hard way to do this. If you just want to open the market url, just check if the intent with the url for android market has any activity that knows how to handle it. If not, open up the amazon appstore with another intent.
/**
* Returns intent that opens app in Google Play or Amazon Appstore
* #param context
* #param packageName
* #return null if no market available, otherwise intent
*/
public static Intent showApp(Activity activity, String packageName)
{
Intent i = new Intent(Intent.ACTION_VIEW);
String url = "market://details?id=" + packageName;
i.setData(Uri.parse(url));
if (isIntentAvailable(activity, i))
{
return i;
}
i.setData(Uri.parse("http://www.amazon.com/gp/mas/dl/android?p=" + packageName));
if (isIntentAvailable(activity, i))
{
return i;
}
return null;
}
public static boolean isIntentAvailable(Context context, Intent intent) {
final PackageManager packageManager = context.getPackageManager();
List<ResolveInfo> list =
packageManager.queryIntentActivities(intent,
PackageManager.MATCH_DEFAULT_ONLY);
return list.size() > 0;
}
Another way is to build using ant. This way you can generate dynamically a java class with constants set to a value that represent the app market, and output different builds with ease. This however takes some learning but when you have it running, it's very easy.
I was also struggling with this, but decided that the instant success I'm seeing with my free app on Amazon warrants the time to create a second set of .apks when I make a new build. I went with the Amazon boolean flag for now, and create one common version, then a version incremented by one for the Amazon market. No other markets demand internal linking, AFAIK.
I eventually intend to code up a market chooser with a slick way to automatically figure out what to do, but there are a lot of variables - not just the market address of one app, but how different markets recognize the company name to find all apps. Some market apps hijack the main Android market protocol (e.g. Appslib and SlideMe if I remember correctly) but don't store the company name the same way. Then you need to decide where upsell links go - to the same market or to a common one (I only submitted my free app to most of the markets I use).
I am waiting for my paid app to be approved, but I am pretty sure it will be worth it to have it available on the Amazon market given how many downloads I've gotten for my free app.
Just refactor most of your project into a Project Library, and then create multiple projects (e.g., for each app store) that have only unique icon and string resources, their own package ID declared in the manifest, and then a main activity that extends the main activity that you have defined in your library.
That way, all the unique URLs can be provided by overriding, in each particular app project's activity, the virtual or abstract methods defined in your library's main activity. The library code that that displays these URLs can obtain them via a polymorphic call to each of those methods.
That way, each such specialized project will be very small, and maintenance will be mainly to your library, as described here:
Multiple Apps with a shared code base