android: avoid file download with MODE_WORLD_READABLE

Question

Bonjour

I would like to create a simple market applications for android but I face a annoying issue.

The install flow is as below:

1- Download of apk file in the application context :

  InputStream input = new BufferedInputStream(url.openStream()) ;
  OutputStream output = openFileOutput("xx.apk", Activity.MODE_WORLD_READABLE);

  byte data[] = new byte[1024];

  while ((count = input.read(data)) != -1 && statusDownload ) {  
    output.write(data, 0, count);
 }

 output.flush();
 output.close();
 input.close();

2- When download is finished:

promptInstall = new Intent(Intent.ACTION_VIEW);             
File fileApk = new File (getFilesDir() + "/xx.apk");
promptInstall.setDataAndType(Uri.fromFile(fileApk) , Consts.APK_FILE_INSTALL_TYPE);
startActivityForResult(promptInstall,654);

3- After installing (or if cancelled), apk file is deleted:

 File fileApk = new File (a.getFilesDir() + "/xx.apk" );
 fileApk.delete();

In order to install an apk file, it must be "World Readable", it means that everyone can , after downloading the file (and before installing), get the apk file.

Does anyone know how to set good permissions for avoid external downloads ?

Thank you for reading !

Answer 1

Does anyone know how to set good permissions for avoid external downloads ?

You already have the "good permissions". The installer runs in a separate process from yours, and therefore it must be able to read the file. Since you have no way of granting permissions only to the installer for this, you have to grant read permissions to all possible processes.

For most things, we would use a ContentProvider to get around this limitation. Alas, at least as of a year ago, the installer did not support content:// Uri values.