I'm currently developing a small Android app that will not be on the Play Store. It is a private business application that will be used for a non-emergency transport company. The Android app will show drivers a list of pickups and drop-offs that they will have throughout the day and allow them to update the status of those trips. What I'd like to do is have some method of updating the app during off hours or when the device is idle. Ideally, it would be great if someone has already written some kind of Android updater that can run as a service. However, I certainly wouldn't mind writing this on my own.
Either way, all it needs to do is pull an APK from our servers and install that APK. I usually don't like doing things sneaky like this, but our clients want it to be this way so that they won't have to go to each device and press OK on permission prompts and they don't want to leave the responsibility of updating the software to the drivers.
I understand the security concerns, but it seems to me that there should be some way to allow an app to auto-update itself if the user permits it. Also, our app is signed and includes a certificate on the device to verify that the downloaded app is legit.
As CommonsWare mentioned it's not supported by standard android. If you take the path of creating your own firmware and installer take a look at the existing PackageInstaller. The required changes are not so complicated.
I did it for a couple of custom versions and it works.
Either way, all it needs to do is pull an APK from our servers and install that APK. I usually don't like doing things sneaky like this, but our clients want it to be this way so that they won't have to go to each device and press OK on permission prompts and they don't want to leave the responsibility of updating the software to the drivers.
This is not possible, except via custom firmware or on a rooted device.
it seems to me that there should be some way to allow an app to auto-update itself if the user permits it.
You are welcome to build your own customized version of Android that has this capability. Stock Android does not offer this, except to the firmware itself.
Related
I want to access the apk file of any app before installation.
In more details: in google play store when the user clicks on Install button I want my application to access the apk file of the application that the user wants to download, and analyze this apk file and be able to whether allow the installation or stop it.
is that possible and if so how to approach this
On Android this functionality was introduced in Android 4.2. It is usually used by anti-malware products like Google Play Protect is known as a "Package Verifier". There is a good blog post on it here.
The short answer is this has to be done as part of the phone manufacturing process as it is so critical to security. So the answer is it can be done, but if you write this code you will need to get a phone manufacturer to include your code as part of a phone system image.
Most third party anti-malware products instead rely on analyzing the APK after the install happens by listening to the package added notification.
Definitely not possible in the way that you want. Android's OS is pretty well locked down. You might be able to do something if the device was rooted but at that point you may as well write your own OS fork. You can attempt to do someting with https://developer.android.com/reference/android/content/Intent.html#ACTION_PACKAGE_ADDED broadcast but you will not be able to analyze the apk freely nor will you be able to stop the installation of it.
My application will be running on hundreds of android devices belonging to a single owner and I may need to modify the software as an update at some point.
I decided I should include a feature to check with the server for updates and download them, which is currently working.
Installing the update is the difficult part. I need it done automatically. Preferably with no user interaction since there are hundreds of devices and it would be very time consuming to do each one manually.
This is the problem, even with the device rooted, I can not find a generic way that each device can install the update without system specific information.
I have read questions like this but can not find a proper answer: Install Android APK without prompt
The bottom answer executes but I can find no installed app, so I assume it failed.
What you want to do is not possible without some serious hacks. A private app store might be a better fit.
If your client is a Google Apps user, you can create a private channel in the Play Store.
Distribute Android apps in your organization
If not, you will have to rely on third party solution like these one:
Apperian Mobile Application Management
ManageEngine Mobile Device Manager
I didn't try any of these, so you will have to do some research to check that they fit your needs
I port my android apps for making bb10 builds . Since now from bb10.2.1 update blackberry has introduced a new concept wherein apk's can be directly installed and can be installed in BB10 devices if the manage apps in settings menu of the phone is made ON. My question is that I wanna restrict my users from doing so and not installing the apk's into bb10 . And take download my app only from appworld.
Has anyone faced and has fixed this issue kindly tell me on how to solve the same.
Based on the Android behaviour, I don't think you can restrict users from doing so.
I haven't tried it on BlackBerry but from what you say, that option sounds analogue to the Unknown sources setting under Security settings on Android. If the user enables the installation of applications from unknown sources on their phone, there is now way to prevent the direct install of the apk (by adding something to your apk or any other way).
There is no way to restrict it to BlackBerry World only. If they get the APK, they can load it directly this way. There may be other ways around it though.
If, for example, your app is for sale and people are side loading a pirated copy, you could change your app to be free, and put some advanced functionality in your app behind an in-app purchase. That way they'll be forced to go through the storefront at some point to pay. This takes bigger changes to your app though, and the IAP implementation is likely different between BBW and GPlay.
You could also put in a version check: when your app launches, it checks a special file on your web server to see what the latest version of the app is. If they don't have the latest version, it doesn't let them use the app until they upgrade. This won't prevent side loading or piracy outright, but you can put out updates often enough to make side loading very annoying. When they are roadblocked and told to get the new version, you can link directly to the storefront to encourage them to get the latest version there.
Thirdly, and lastly, if you port your app to a BlackBerry 10 native, cascades, or WebWorks app, the app file is fully protected and can't be pirated or extracted from BlackBerry World (since the platform is secure). That will 100% protect you from piracy on BlackBerry 10.
I hope this helps!
I'm building an MDM application for Android devices and I want to be able to silently update the MDM app in order to patch security holes, add new features, etc. I know it is possible to achieve this by accessing the Android Package Manager Installer but from what I can tell this requires the application to be signed with the same signature from a specific OEM.
Is it possible to do a silent update for an MDM application without rooting the device?
You cannot, and this is viewed as a Good Thing from the point of view of the user, because the code that I install cannot be changed by anybody except software signed by a trusted key (such as Google's Play), or with manual approval.
I can think of two workarounds:
Check if there's an update, download it, then refuse to do anything until the user updates the app.
Dynamically load most of your app's functionality at runtime from a JAR that your app downloads. You could silently update this at will.
Heck, you could even combine the two options, so that if the wrapper needs updating, it will bother the user. The second method will make the nags very infrequent.
You should probably let the user know that this is happening, at least in an initial info-screen. I know I would uninstall any app that tried to go behind my back in this manner, if I found out about it.
A company asked me if I am able to program an Android-App for their internal process but with small mobile-device-management capabilites. I'm aware of the "enable manual apk-installation"-checkbox inside of the Android-Settings-Menu. I think it opens additional security holes if it is permanently checked.
So easiset way is to send a SMS with an URL to this APK, enable checkbox, install the update and disable checkbox manually. A lot to do, to update a program.
Coming from Windows Mobile and Symbian I was able to program a Facade.exe which starts a download and replaces some signed parts. The Application signing of Windows Mobile and Symbian allows this.
Is this possible with Android(not rooted)? I read some articles that it is possible to implement own Markets(like Amazon is doing it). Is it possible to use some of those APIs for the purpose of doing an auto-update. Where are thoes APIs, I am not able to find them.
Is this a solution:
Programming a torch-app(there are thousands around), publishing it to the android market. But with a small button to activate the whole application with a secret password. Updates can be rolled out via android market functionality.
A complete MDM (mobile device management) is overkill.
Is this possible with Android(not rooted)?
Not readily. You can use the techniques used by the Sideload Wonder Machine, extracting the requisite bits out of the SDK to do sideloads via USB. However:
Your Facade.exe implies the user runs Windows.
This implies that the user has the adb drivers for their device for Windows.
Neither of those are guaranteed.
I read some articles that it is possible to implement own Markets(like Amazon is doing it). Is it possible to use some of those APIs for the purpose of doing an auto-update.
You can download whatever you want, such as an APK. You can tell Android to VIEW whatever you want, such as your APK. If you VIEW an APK (and have the right MIME type in your Intent), that will trigger an install or update. The user will be prompted about the install or update -- on an install, for example, it will give them the screen listing all the requested permissions.