Search code examples
apkurisecurityexceptionandroid-7.0-nougatpackageinstaller

Programmatically install an apk in Android 7 / api24


I am trying to get my app to automatically install an apk. This works fine for api<24. But for 24, it is failing. Android has implemented extra security:

For apps targeting Android 7.0, the Android framework enforces the StrictMode API policy that prohibits exposing file:// URIs outside your app. If an intent containing a file URI leaves your app, the app fails with a FileUriExposedException exception.

So I tried this:

    Uri myuri;
    if (Build.VERSION.SDK_INT < Build.VERSION_CODES.N){
        myuri = Uri.parse("file://"+outapk);
    } else {
        File o = new File(outapk);
        myuri = FileProvider.getUriForFile(con, con.getApplicationContext().getPackageName() + ".provider", o);
    }
    Intent promptInstall = new Intent(Intent.ACTION_VIEW).setDataAndType(myuri,"application/vnd.android.package-archive");
    con.startActivity(promptInstall);

but get a fatal exception:

com.android.packageinstaller "Caused by: java.lang.SecurityException: Permission Denial: opening provider android.support.v4.content.FileProvider from ProcessRecord{b42ee8a 6826:com.android.packageinstaller/u0a15} (pid=6826, uid=10015) that is not exported from uid 10066". 

I have export=true in my manifest.

The problem seems to be that packageinstaller cannot use a content:// uri.

Are there any ways to allow an app to progammatically install an apk with api24?


Solution

  • Are there any ways to allow an app to progammatically install an apk with api24?

    Add addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION) to your promptInstall setup, to grant read access to the content.

    I have export=true in my manifest.

    Not on your FileProvider, as that would cause your app to crash.

    The problem seems to be that packageinstaller cannot use a content:// uri.

    No, the problem is that you did not grant permission to the package installer to read from that Uri. Had the package installer been unable to use a content scheme, you would have gotten an ActivityNotFoundException.

    Note, though, that it is only with Android 7.0 that the package installer starts supporting content. Earlier versions of Android have to use file.