Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android Known Sources

Tags:

android

apk

When you install an apk file that is from an unknown source, Android will complain and verify that you want to install that apk file. This file must be checked to a list of known sources.

I am interested to know where that list of known sources is located on Android AOSP.

Edit: I apologize if my question is confusing but allow me to clarify. When you install an APK from usb or email Android will prompt you saying you are installing an app from an unknown source. At this point you can either deny or accept that fact and move on. In order to determine if an app is being installed from an unknown source, I am assuming that there is a list of known sources that is included with AOSP. I may be wrong, as one comment has pointed out that it's just all apps that are not installed from the google play store.

I would like to see where this check is done. Where in AOSP is this check made if there is no list, or where is this list of known sources if there is a list.

like image 864
Andrew T. Avatar asked Sep 09 '13 13:09

Andrew T.


People also ask

Is it safe to install apps from unknown sources?

By default, Android doesn't let downloading and installing apps from unknown sources as it is unsafe to do so. If you are opting to download apps other than the ones on the Google Play Store on your Android device, you are taking the risk causing potential harm to your device.


1 Answers

So I have looked through the AOSP Source code now to see how that Unknown Sources check is done. It is more complicated than known source = android play.

So first of all for background, that Unknown Sources check and message are generated by INSTALL_NON_MARKET_APP. This flag comes up in few places, but the main place is in PackageInstallerActivity. Infact, this is the only place in AOSP where it comes up and is used to some effective degree. Let's look at that here:

String callerPackage = getCallingPackage();
    if (callerPackage != null && intent.getBooleanExtra(
            Intent.EXTRA_NOT_UNKNOWN_SOURCE, false)) {
        try {
            mSourceInfo = mPm.getApplicationInfo(callerPackage, 0);
            if (mSourceInfo != null) {
                if ((mSourceInfo.flags&ApplicationInfo.FLAG_SYSTEM) != 0) {
                    // System apps don't need to be approved.
                    initiateInstall();
                    return;
                }
            }
        } catch (NameNotFoundException e) {
        }
    }
    if (!isInstallingUnknownAppsAllowed()) {
         //ask user to enable setting first
         showDialogInner(DLG_UNKNOWN_APPS);
         return;
     }
    initiateInstall();

So PackageInstaller is a package included with AOSP that understands how to handle the ACTION_VIEW intent for APK files. PackageInstaller checks two things before it allows an app to be installed.

  1. That the app is a system app. If an app is a system app, it doesn't care, it tells the package manager to install your app. This means that if Samsung puts their Samsung market store as a system app on Samsung devices, then it is automatically a trusted source. Infact, it will skip step 2 here.

  2. If that system flag is not set. If that flag is not set, and thus you are not a system app, then therefore you are not a trusted source. That being said, System apps can also skip the package installer and just go straight to calling the hidden function installPackage which can be found in PackageManagerService. This seems to be what the GooglePlayStore does, as when I disable the installation capabilities on PackageInstallerActivity I can still install apks just fine.

So to sum up: Known sources are SYSTEM APPS not just applications downloaded from google play. Google play completely circumvents the INSTALL_NON_MARKET_APP flag because it does not use the PackageInstaller. If you create an app that is not a system app, your only method for installing APKs is to use the PackageInstaller. Since your app is not a system app it will check to see if unknown sources is disabled.

like image 168
Andrew T. Avatar answered Oct 19 '22 06:10

Andrew T.