Curiously, how do you plan to distribute firmware updates? The URL for every OTA update.zip for the G1 has been discovered (it's not particularly hidden, nor should it be). If you have the .zip, you have all of the system apps.
-Will Scytmo wrote:
Hi, Is there any way for an OEM to give the same level of protection to packages loaded into /system/app as is given to 'forward locked' downloaded packages (which are placed in /data/app-private without world read permission)? I understand that the packages in /system/app should have had dexopt run, so the APKs do not contain classes.dex, and there is a separate .odex file alongside. However, for a package that does not require any 'signature' or 'signatureOrSystem' permissions, it seems possible to extract the APK and odex, and create a new self-signed package. This would appear to need an 'undexopt' step, to get classes.dex back from the .odex file - and, while I can't see any tools available that would do this at the moment, it doesn't seem intractible. Is there any particular reason why the files in /system/app are world- readable? Could a permission scheme like that used in /data/app- private be used, uid=system, gid=app_XX, mode=0640? I guess one issue would be determining the correct gid. Any other issues with doing this? Scytmo
