The official way to do this is to put the .apk somewhere, and launch the app installer on it. This will copy the .apk into a secure place, analyze it, present the confirmation dialog (with the app's identity and permissions) to the user, and once confirmed proceed with the install.
If your app is being built into the system, you can do a flow like market does: get the information about the app from the server first to present the confirmation dialog, then download the .apk and directly call the package manager to install it. This of course requires that the app be extremely careful about its implementation to avoid holes (ensure it has a secure connection with its server, is correctly parsing all relevant data out of the .apk on the server, is retrieving the .apk into its private storage before installing, etc). I believe the market also makes use of the download manager for downloading the .apk (which has access to the cache partition as a secure area for temporary download storage), which is not yet a public API but again if you are being bundled with a system you can use. That all said, there is nothing fundamental here that market is doing that regular apps can't. It is just able to do a different flow (permission check before download) because the system trust things built into it to directly install apps, and is able to use private APIs like the download manager instead of doing that work itself. Anyway, you probably don't want to download the .apk to the SD card, though from the system's perspective this is not a security hole, since it will copy the .apk into its own secure area before proceeding with the install. On Fri, Aug 21, 2009 at 7:44 AM, engin <[email protected]> wrote: > > Hi, I want to learn that how google android market provides security > of application.That is, I realize that, when user downloads > application, market downloads and install application atomically to > phone. I am designing market and security is important issue so I > wonder that how google achieve this? How is application installed > phone? > 1) Is the apk downloaded sdcard and deleted after installation? In the > case of this how can market guarantee that when apk downloaded to > sdcard, program finishes unexpectedly and installation- deletion of > apk cannot be done? > 2) Or installation is done from server? > 3) I think that there exists security not to copy apk. how do they do > this? Maybe they use phone id to install application, by this way > even if anyone copy apk they cannot install it other phone? > > As I said above I am trying to desing market. > Thanks... > > > -- Dianne Hackborn Android framework engineer [email protected] Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
