I have an SQLite database stored in the assets resources of one application used to load UI and other stuff into the app, mainly just holding text nothing out of the ordinary. I want to be able to get a writable version of this database so I can modify it from another application.
Example:
First application is on the market with limited number of enabled features. User gets to a certain point where they need to buy extra content to do more stuff in the app. The original app has these features but they are not enabled in the app using the database. I want the user then to download a second app from the market which is just used to change one field in the database from disabled to enabled thus unlocking the new features.
I have an idea I may need to use content providers but my understanding is once created they are accessible to all applications. I need it, for piracy reasons I guess, to only be able to communicate with apps signed off by my key.
Thanks
Sam,
I understand what you intend to do, but you are going about it the wrong way. Your 'Unlock App' would not be able to modify the Database in the assets folder of your 'Free App'. That's just general android security model stuff.
You may want to look at this question: How can I use the paid version of my app as a "key" to the free version?
It describes how you can create a 'Unlock App' on the market to unlock features of your 'Free app' without needing to actually modify any of the original data in the 'Free App'.
Good luck
Related
Context: I have two apps, both signed with the same signature. The first app has data stored in internal storage that I would like to migrate to the second app.
Question: How can I access the data in the first app from the second app? The Android documentation makes reference to "signature permissions" (https://developer.android.com/guide/topics/permissions/overview#signature and https://developer.android.com/training/articles/security-tips#StoringData) and hints that it is possible to share data between apps with the same signature, but I cannot find clear guidelines about how to do this.
It seems like it might be possible by creating a content provider? Or is it possible to directly access the files, since I understand from the docs that they will be running with the same user / same process?
Ideally this process can happen with minimal intervention from the user, and can all happen from the second app (e.g. the second app can recognize that the first app is installed, prompt the user to migrate, and then read the data from the first app and move it to the second). It would be even better if it was possible to move the files (rather than copy) because we potentially have a lot of data and the user may not have enough disk space to copy the data.
It seems like it might be possible by creating a content provider?
Yes. You can create a signature-level permission and use that to protect access to any of the standard IPC options in Android, including ContentProvider and Service.
Or is it possible to directly access the files, since I understand from the docs that they will be running with the same user / same process?
No, two apps signed by the same signing key to not run as the same user, let alone in the same process. android:sharedUserId has the apps run as the same user. This was never a great idea, is deprecated, and is likely to go away soon.
It would be even better if it was possible to move the files (rather than copy) because we potentially have a lot of data and the user may not have enough disk space to copy the data.
That suggests that having two apps is a bug, not a feature, from the standpoint of the user. The closest you will be able to do to a "move" operation is "delete-after-copy", so plan your copies to be as granular as possible so you can delete as you go.
Some relevant background:
My application is a Java app compiled into a .exe via JSmooth. The anticipated user base would likely be a few hundred users, but could grow well beyond that, as it's a community specific application.
How it works:
2 .jar files, one that preforms initial checks, another with the meat of the application.
Ideally, the init jar displays the splash, checks the version in desktop.txt against server.txt, if they differ, it prompts the user to update.
What I need to figure out:
1) What is a cheap, scalable hosting service that I could use as the file host for updates?
2) How can I create an "updater" to actually preform the jar replacement? My current solution is simply writing an updater in Java, but I was hoping for something like the installers people are more familiar with.
All of the research I've done has resulted in lackluster results, as 99% of hosting searches result in site hosting results. I just need an update repository with reasonable security. i.e., decent DDoS resistance and not left wide open to the Internet.
Edit: formatting
Easy to do and very foolish cheap with Amazon S3 or Joyent Manta as both support time-limited signed URLs and headers (which can contain a SHA-1 of the file) to check to see if the update is needed before downloading
On startup your app would check the update URL to see if it has changed. If it has changed, download the JARs. Do this before the app loads classes from those JARs. Updating the updater itself will be trickier so consider that an update might need a new update URL to prevent expiry.
Is is possible to create a new APK by overloading/overriding and existing APK.
Say, we have WhatsApp messenger. Now if I want to show a notification like, "Person X is online now.", in notification area, it is not possible using the existing WhatsApp messenger. So, I'd like to develop a new custom messenger, which uses all the functionality of WhatsApp messenger, with some of my custom code. Just like importing JARs, can we import APK...??
This seems like using another persons work, but just from learning point of view, I'd like to know the possibilities. As of now, lets leave all the, security, vulnerability.
In a nutshell, no.
APKs are not like Jar files such that you can simply import them into your app. They also contain other resources like the XML and assets. The code is kept in a classes.dex file, which is generated from the Jar file of the app code.
Moreover, each app runs in its own DVM, and is sandboxed to prevent this kind of interaction between apps. You cannot simply use WhatsApp's code in your own app as a third party apps.
There are however two ways to achieve what you want.
If the app you are targeting provides an API by means of content providers, or even web services that you can use to access their data and events like users coming online. WhatsApp does not offer any such API
You decompile the target app, and insert your own code to do what you want. This can be very hard because most popular apps, like WhatsApp, obfuscate their code making it hard to decipher (but not impossible). Additionally, WhatsApp encrypts most of its data like messages, contacts, chat threads etc using AES, which adds an additional layer to bypass in some places. Oh, and it also violates several IP and copyright laws if you do this.
Yes and No.
There are a couple of ways for an app - a standalone one - to share its information with other apps. One is through the use of a content provider, the other through custom broadcasts.
If, say, WhatsApp has documented its app and was built such that you can build on it further, you can catch those broadcasts and listen to those providers such that your app can also react upon the changes made in WhatsApp.
you can create a config.properties file and insert it in Asset folder in your wattsup messenger assuming you have the source code,
Now you will have to configure your custom application to write that changes in this file, however you can change these data in several ways such as webservices that allows you to modify that data in that file through them .
ok with the above scenario, you can make the changes,but your application will never update that changes coz your dealing with an APK not a code,therefore you will have to re-generate the APK again so it will take the latest changes .
for an automated APK generating you can use ANT tools, by placing a build.xml file in your wattsp sources
code you can run that script which ant release that will generate the new APK with the latest code
as you said these are possibilities still but in my opinion in the end you cant use the APK as a library
I'm working on a java swing application that up until now was single user/role. Now I have a requirement that users should be separated into roles with different permissions. Each panel in the application will have certain permission requirements that will dictate its behavior (i.e. it needs permission P1 for visualization and P2 for editing).
After some research it I'll stick to Apache Shiro for my security/UAC framework.
My question is this:
Where should I store the required permissions for each panel? My first thought was to have them in the java class itself, but this seems kind of "hack-y". Another option was to have them stored in the database and link the class with its required permissions. But this creates problems: every time a new panel is added/removed permissions will have to be updated in the database.
If you have any pointers to how this could be done/was already done, i would be very grateful.
I think the safest thing is to store the permissions in the database (or any other centralized server). The advantage is that if the permissions change, you have only one central place to change.
If any security configuration is in the application, then after a change you would have to make sure that no user is using secretly an old version...
I'm trying to develop an application for taking backup for my device. How can I write this? Till now, I've got all the installed packages list and I'm placing 3 buttons for taking the backup(Backup, CheckAll, Cancel).
If I'm going to take backup button it contains one alertdialog it shows 3 options (now, later, cancel). How to take backup the installed packages to one new list and it'll shows by date and time. How can I do this? Any idea?
i don't know if its possible to do that. I remember that i read in an article that in order to access to other packages you need to use the same user that the app does, and from my point of view that means that all the applications that are going to be backed up need to have the same user. I'm not an android expert but i think it wouldn't be possible to gain access to the other packages if you try Java IO to read the files as you normally do.
Good luck, maybe someone knows how to do this.
I don't know what do you mean by backup installed packages.
Generally users keep backup of their database and preferences data.
If you want to take a backup of your database and preference then you can create xml of your database and preferences using xml-serialization.
More information about xml-serialization Click here
And also you can refer inbuilt facility for get backup Click here