I have started to work on AOSP and I have a couple of applications that I do not to update when I update my OS. I tried using the vendor partition and flashing my specified appilcations on the vendor partition which built successfully. During run time the application crashed since it needs some system level permissions. Is there any way I can have a system app on the vendor partition ?
Have this in your manifest
android:sharedUserId="android.uid.system"
Then using Android Studio menu Build > Build APK(s). Then take that apk and sign with system signature using pek and pk8 files. Then push them in /vendor/app
OR Build the app using AOSP tree. Push that apk from out//vendor/app/ .
Hope this helps.
Related
I have access to an Android tablets' platform key and certificate. I'm attempting to build an app and install it with system level privileges by doing the following:
Create a Java KeyStore file with platform.pk8 and platform.x509.pem using the bash script called platform_import_keystore found on GitHub.
In AndroidManifex.xml add the following:
<uses-permission android:name="android.permission.READ_LOGS"/>
android:sharedUserId="android.uid.system"
Sign APK with PLATFORM key and certificate using a Java KeyStore file in Android Studio.
Install APK
When the app runs, the system denies READ_LOGS permission.
Why isn't my app running with system level permissions?
What #Mark mentions is correct to some extent, for system apps.
I think you are doing something else wrong.
I have tried this with system apps as well, and as long it was signed with the platform keystore, it works. Now this was on Android 8 and Android 9. You haven't mentioned the AOSP version running the device.
That changes things AFAIK, so if it's AOSP 10+, it might behave differently.
Also the other comments are missing another key thing SELinux. SELinux is not permissive for user builds. Verity is enabled, and you cannot have root access. So you cannot push the app into /system/priv-app/ or push it into /vendor/app/.
You cannot access system resources without proper SE Policy files. You can check the logs yourself, to see avc denied messages.
I think overall what you are seeing should be inline with AOSP's security ideals. An app signed with System keys should not be able to get system permissions. It also needs to be located in the correct place, either as a privileged app or vendor app. Such apps need to be whitelisted. There's a built in script in AOSP source to even generate the permissions for whitelisting (it produces the required xml)
There's two classes of system apps, /system/app/ and /system/priv-app/
The privileged apps are the only ones that get signature level permissions, and according to newer versions of android, you need to enable whitelisting in the /system/etc/priv_app-permissions_device_name.
If you make any changes to the system or vendor when verity is enabled, firstly they are mounted read only, but somehow if you do make a change, the device will brick itself. This is the security feature. All custom development needs to be done in userdebug builds with SELinux in permissive mode, and then all the permissions need to be predefined, SE Policies fine tuned to utmost minimal, only then the user build can function normally. User build is not at all suitable for AOSP development activities, even if it's just for testing or trying out a single app.
User build is production type build that the end user can use and is not for development. It's the most secure form of android, so if you have platform keys, it may never be enough.
All that being said, I'm sure you don't have the right keys. Just pull an app from system/priv-app/ and use keytool or similar to check it's signature, and then try to match with your release apk.
It's little complicated as it is, and kind of hard to explain and there are levels of permissions also in android, so if you aren't following a specific approach/path, you will not be able to get it to work.
I have developed an android app and put this as prebuilt APK in AOSP.
So the app will be installed in /system/app as a system app.
The app has update function itself by downloading and installing the newer version APK.
But it does not work because system app cannot be updated.
Is there any way to update self-made system app?
System app can be updated, in two ways:
Updated by the ota updating, this will change the app directly, and the app still exist on /system.
updated by using package install api, this need the new version apk have the same signature with the one on /system, and the new version will be installed on /data. That means, if the device is reset, the new version will lose.
Ota update is a normal way for system app updating.
Yes, you can install an updated version of your original system app into the /data partition, provided that:
1. Both app versions are signed with the same key;
2. The updated app’s versionCode is greater than or equal to the original app’s.
One way to do this update is to use the following adb command: adb install -r <your updated apk file>. Then you can test your updated version without having to rebuild your AOSP code.
Note that your updated version in the /data partition will be removed via a factory data reset. In this case your original system app will take effect again.
I've a signing and compiled APK but I can not install it on a rooted device.
I've tried:
- Put APK on system/priv-app folder
- Run adb set-device-owner
- Install apk using adb install
And nothing...
I want to enroll my device with COPE ownership.
Thanks in advance
Martín
In order to use system service, you might need to sign the system service with system signing key (i.e the key which used to sign the Android OS). In the system service manifest, it set as follows in order to work as a system application
android:sharedUserId="android.uid.system"
However if you need to run this on a rooted device, you can simply remove that attribute from the manifest and make app as a system app using root utility application in order to enroll device with COPE ownership.
When i build my android source code, my apps install as system apps in system/app. I do not want that. I want my apps to install as normal apps in data/app which also makes it easy for the user to uninstall the app
This answer did not help me,
Install an app into data/app instead of system/app in the Android Source compilation
The Andoid Source build makes the system.img. This does not include the data partition so you cannot add apps to the data partition. Apps that are built by the source go into either /system/app or /system/priv-app.
I am building an app that will be bundled on an android device as a system app. The manufacturer is a ways out on delivering the device to us, so in the meantime I'd like to grant my app system level permissions in the emulator so I can work on an auto update feature that will do silent installs of APKs without any interactions from the user. From what I've read, its my understanding that the only way to be able to do silent installs on android is if your app is signed with the same cert as the OS. So how can I simulate this in the emulator?
If you want a signatureOrSystem permission, you just need to be placed on the system image; you don't need to be signed with any special cert. You can do this as a one-off (until you exit the emulator) like this:
> adb root
> adb remount
> adb push /path/to/My.apk /system/app/My.apk
Once you have done that, you can use the normal process to install further updates on the data partition ("adb install -r /path/to/My.apk" which is what the developer tools do when you run from Eclipse). When installing this way, the app retains any signatureOrSystem permissions it had requested from the original version on the system image, but can not gain any new such permissions.
If you need pure signature permissions, you need to sign your app with the same cert as whatever is declaring those permissions (typically the core framework, but the media system is a separate cert etc). If you are requesting signature permissions you don't need to be installed on the system image, you can just install it as a normal app and it can still get the permissions because of the signing.
As far as I can tell, you need to:
download the Android source and build an emulator firmware image.
sign your application with the keys in the Android source tree at /build/target/product/security/.
add android:sharedUserId="android.uid.system" to your application's manifest.
run your application on an emulator using the image built in step 1.
The reason for having to build your own firmware image is so that you can get at the keys. Now, it might be possible that the keys for the standard emulator image are available somewhere, which will save you the long and exceedingly tedious process of building your own Android, but I'm afraid I have no idea where these might be.
Disclaimer: never tried this myself.