1

I'm building an MDM application for Android devices and I want to be able to silently update the MDM app in order to patch security holes, add new features, etc. I know it is possible to achieve this by accessing the Android Package Manager Installer but from what I can tell this requires the application to be signed with the same signature from a specific OEM.

Is it possible to do a silent update for an MDM application without rooting the device?

Jerome Kiefer
  • 13
  • 3

1 Answers1

0

You cannot, and this is viewed as a Good Thing from the point of view of the user, because the code that I install cannot be changed by anybody except software signed by a trusted key (such as Google's Play), or with manual approval.

I can think of two workarounds:

  1. Check if there's an update, download it, then refuse to do anything until the user updates the app.
  2. Dynamically load most of your app's functionality at runtime from a JAR that your app downloads. You could silently update this at will.

Heck, you could even combine the two options, so that if the wrapper needs updating, it will bother the user. The second method will make the nags very infrequent.

You should probably let the user know that this is happening, at least in an initial info-screen. I know I would uninstall any app that tried to go behind my back in this manner, if I found out about it.

Community
  • 1
  • 1
George Hilliard
  • 15,402
  • 9
  • 58
  • 96
  • 1
    Note that the second option is difficult to secure and limits the scope of the updates to things that are represented in a JAR (e.g., no resources, no manifest entries). – CommonsWare Jun 26 '14 at 15:47
  • That's a good point; if OP decides to use it, he should **use a secure connection to the server** and **pin the certificate used** to connect. And major updates (that require new permissions, etc) rightly must be approved by the user. – George Hilliard Jun 26 '14 at 15:49
  • Awesome guys. Thanks for the help and the quick response. I figured that the end case was a No but I thought it couldn't hurt to ask. Maybe there is some way that I wasn't aware of. So Thanks again @thirtythreeforty – Jerome Kiefer Jun 26 '14 at 16:32
  • Yep. I'm a crypto nut; the security model is one of the reasons I like Android so much, assuming you have or can get root access, like on the Nexuses. (Nexi?) Glad to help! – George Hilliard Jun 26 '14 at 16:35