Android Known Sources

Asked 9/9, 2013 at 13:13 Answered 9/9, 2013 at 17:10

When you install an apk file that is from an unknown source, Android will complain and verify that you want to install that apk file. This file must be checked to a list of known sources.

I am interested to know where that list of known sources is located on Android AOSP.

Edit: I apologize if my question is confusing but allow me to clarify. When you install an APK from usb or email Android will prompt you saying you are installing an app from an unknown source. At this point you can either deny or accept that fact and move on. In order to determine if an app is being installed from an unknown source, I am assuming that there is a list of known sources that is included with AOSP. I may be wrong, as one comment has pointed out that it's just all apps that are not installed from the google play store.

I would like to see where this check is done. Where in AOSP is this check made if there is no list, or where is this list of known sources if there is a list.

Qadi answered 9/9, 2013 at 13:13 Comment(5)

That means it's an app that wasn't download from the Android market. Other than that, there are no "known sources." – Dualism 9/9, 2013 at 13:17

I guess you're looking for a database with domains and apk files which are known to be safe, right? I know none, but I hope my comment will help other users to understand your question a bit better. – Rakehell 9/9, 2013 at 13:19

Also if someone is downvoting, I would love to know why. Is it because the question was vague, or because you think this is not a valid question? – Qadi 9/9, 2013 at 13:32

known source = android Play. that's the only known source. – Calotte 9/9, 2013 at 13:34

@Calotte That is not entirely true upon investigation. See my answer – Qadi 9/9, 2013 at 17:13

So I have looked through the AOSP Source code now to see how that Unknown Sources check is done. It is more complicated than known source = android play.

So first of all for background, that Unknown Sources check and message are generated by INSTALL_NON_MARKET_APP. This flag comes up in few places, but the main place is in PackageInstallerActivity. Infact, this is the only place in AOSP where it comes up and is used to some effective degree. Let's look at that here:

String callerPackage = getCallingPackage();
    if (callerPackage != null && intent.getBooleanExtra(
            Intent.EXTRA_NOT_UNKNOWN_SOURCE, false)) {
        try {
            mSourceInfo = mPm.getApplicationInfo(callerPackage, 0);
            if (mSourceInfo != null) {
                if ((mSourceInfo.flags&ApplicationInfo.FLAG_SYSTEM) != 0) {
                    // System apps don't need to be approved.
                    initiateInstall();
                    return;
                }
            }
        } catch (NameNotFoundException e) {
        }
    }
    if (!isInstallingUnknownAppsAllowed()) {
         //ask user to enable setting first
         showDialogInner(DLG_UNKNOWN_APPS);
         return;
     }
    initiateInstall();

So PackageInstaller is a package included with AOSP that understands how to handle the ACTION_VIEW intent for APK files. PackageInstaller checks two things before it allows an app to be installed.

That the app is a system app. If an app is a system app, it doesn't care, it tells the package manager to install your app. This means that if Samsung puts their Samsung market store as a system app on Samsung devices, then it is automatically a trusted source. Infact, it will skip step 2 here.
If that system flag is not set. If that flag is not set, and thus you are not a system app, then therefore you are not a trusted source. That being said, System apps can also skip the package installer and just go straight to calling the hidden function installPackage which can be found in PackageManagerService. This seems to be what the GooglePlayStore does, as when I disable the installation capabilities on PackageInstallerActivity I can still install apks just fine.

So to sum up: Known sources are SYSTEM APPS not just applications downloaded from google play. Google play completely circumvents the INSTALL_NON_MARKET_APP flag because it does not use the PackageInstaller. If you create an app that is not a system app, your only method for installing APKs is to use the PackageInstaller. Since your app is not a system app it will check to see if unknown sources is disabled.

Qadi answered 9/9, 2013 at 17:10 Comment(3)

@TheTerribleSwiftTomato Thank you. I'm doing work surrounding this process so I needed something fairly concrete. Since google play is essentially the only system app that installs apks, it seems like it's the only one but there could be more. – Qadi 9/9, 2013 at 17:16

Bit late but I have developed an android app, and I know there are lots of MDM solutions which allow download of apk's with out changing any security settings on the android device. So how would one avoid downloading apk from google store? Would i need to create my own package installer? (Sorry if it sounds like a silly question). – Debauch 28/1, 2016 at 9:24

The app which allows downloading and installing other apps either needs to be pre-installed on the system, or signed with the system key. Otherwise you need to make modifications to some part of the system to do that. – Qadi 28/1, 2016 at 15:27

As the comments have already suggested, the word "sources" means "place of origin" (as in, application package repositories), not "source code". This is completely unrelated to the AOSP.

Usually, that means "applications downloaded from Google Play" (and the previous Android Market).

I say "usually", because you could conceivably define another source in a custom fork - haven't encountered this personally 'though (don't know how that meshes with Samsung's app store).

Saboteur answered 9/9, 2013 at 13:40 Comment(0)

Recommended topics

Hot tags