Thanks Dianne. That was a nice piece of information. A couple of questions/comments. 1. Is there any way to retrieve information from the .apk on the server side other than using the aapt tool ? 2. Just curious, why did you say "you probably don't want to download the .apk to the SD card".
Balwinder Kaur Open Source Development Center ·T· · ·Mobile· stick together The views, opinions and statements in this email are those of the author solely in their individual capacity, and do not necessarily represent those of T-Mobile USA, Inc. On Aug 21, 9:50 am, Dianne Hackborn <hack...@android.com> wrote: > The official way to do this is to put the .apk somewhere, and launch the app > installer on it. This will copy the .apk into a secure place, analyze it, > present the confirmation dialog (with the app's identity and permissions) to > the user, and once confirmed proceed with the install. > > If your app is being built into the system, you can do a flow like market > does: get the information about the app from the server first to present the > confirmation dialog, then download the .apk and directly call the package > manager to install it. This of course requires that the app be extremely > careful about its implementation to avoid holes (ensure it has a secure > connection with its server, is correctly parsing all relevant data out of > the .apk on the server, is retrieving the .apk into its private storage > before installing, etc). I believe the market also makes use of the > download manager for downloading the .apk (which has access to the cache > partition as a secure area for temporary download storage), which is not yet > a public API but again if you are being bundled with a system you can use. > > That all said, there is nothing fundamental here that market is doing that > regular apps can't. It is just able to do a different flow (permission > check before download) because the system trust things built into it to > directly install apps, and is able to use private APIs like the download > manager instead of doing that work itself. > > Anyway, you probably don't want to download the .apk to the SD card, though > from the system's perspective this is not a security hole, since it will > copy the .apk into its own secure area before proceeding with the install. > > > > On Fri, Aug 21, 2009 at 7:44 AM, engin <enginarsla...@gmail.com> wrote: > > > Hi, I want to learn that how google android market provides security > > of application.That is, I realize that, when user downloads > > application, market downloads and install application atomically to > > phone. I am designing market and security is important issue so I > > wonder that how google achieve this? How is application installed > > phone? > > 1) Is the apk downloaded sdcard and deleted after installation? In the > > case of this how can market guarantee that when apk downloaded to > > sdcard, program finishes unexpectedly and installation- deletion of > > apk cannot be done? > > 2) Or installation is done from server? > > 3) I think that there exists security not to copy apk. how do they do > > this? Maybe they use phone id to install application, by this way > > even if anyone copy apk they cannot install it other phone? > > > As I said above I am trying to desing market. > > Thanks... > > -- > Dianne Hackborn > Android framework engineer > hack...@android.com > > Note: please don't send private questions to me, as I don't have time to > provide private support, and so won't reply to such e-mails. All such > questions should be posted on public forums, where I and others can see and > answer them. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
