APK Installation Filter Method: Package name Whitelist, certificate authentication

1. Define some global variables, file location:

Build.java (Frameworks\base\core\java\android\os)

        /**         * Package Management method Name <br>         *     Whitelist: Whitelist Way         *     Certificate: Certificate authentication method         *     None: Not managed */         Public        static String packagemanage = "None";        /**         * Allow Launch to display apps and apps whitelist         */public static string[] Packageallow = new string[]{"Com.baidu.searchbox", "C Om.thinta.product.thintazlib "," Com.thinta.product.x4usertool "};        /**         * Allow Launch to display the app's certificate store path         */public static String Certificatepath = "/system/etc/security/media.zip";

2. Modify the install APK process to add validation during the installation process

To modify the location of a file:

Packagemanagerservice.java (FRAMEWORKS\BASE\SERVICES\CORE\JAVA\COM\ANDROID\SERVER\PM)

First add a function:

private static hashset<x509certificate> Gettrustedcerts (File keystore) throws IOException, Generalsecurityexception {hashset<x509certificate> Trusted = new hashset<x509certificate> (); if (KeyStore = = null) {return trusted;} ZipFile zip = new ZipFile (keystore); try {certificatefactory CF = Certificatefactory.getinstance ("n"); enumeration<? Extends zipentry> entries = Zip.entries (); while (Entries.hasmoreelements ()) {ZipEntry entry = Entries.nextelement () ; InputStream is = Zip.getinputstream (entry), try {trusted.add ((x509certificate) cf.generatecertificate (is);} finally {Is.close ();}}} finally {zip.close ();} return trusted;}

Modified function: private void Installpackageli (Installargs args, packageinstalledinfo res)

First modification:
　　　　 if (Build.ThintaCust.packageManage.equals ("certificate")) Tmp_flags = Packagemanager.get_signatures; Final int parseflags = Mdefparseflags | Packageparser.parse_chatty | (forwardlocked?) packageparser.parse_forward_lock:0) | (ONSD?) packageparser.parse_on_sdcard:0) | Tmp_flags; second modification: if (Build.ThintaCust.packageManage.equals ("none")) {log.d ("Xyp_debug", "packagemanage = none \ n");} else if (Build.ThintaCust.packageManage.equals ("whitelist")) {log.d ("Xyp_debug", "packagemanage = whitelist \ n"); list<string> list = Arrays.aslist (Build.ThintaCust.packageAllow), if (List.contains (Pkg.packagename)) {LOG.D (" Xyp_debug "," can install \ n ");} ELSE{LOG.D ("Xyp_debug", "forbid install \ n"); Res.seterror (packagemanager.install_failed_user_restricted, " Installpackageli, forbid install "); return;}} else if (Build.ThintaCust.packageManage.equals ("certificate")) {int Verify_pass = 0;try{file File = new file ( Build.ThintaCust.certificatePath); hashset<x509certificate&Gt trusted = gettrustedcerts (file); Certificatefactory CF = Certificatefactory.getinstance ("n"); for (X509Certificate c:trusted) {String tmp_public_ Key = C.getpublickey (). toString (); for (Signature sig:pkg.mSignatures) {x509certificate cert = (x509certificate) Cf.generatecertificate (New Bytearrayinputstream (Sig.tobytearray ())); String Tmp_key = Cert.getpublickey (). toString (); if (Tmp_public_key.equals (Tmp_key)) {verify_pass = 1;break;}} if (Verify_pass = = 1) break;} if (verify_pass! = 1) {log.d ("Xyp_debug", "forbid install \ n"); Res.seterror (Packagemanager.install_failed_user_ RESTRICTED, "Installpackageli, forbid Install"); return;}} catch (FileNotFoundException e) {log.d ("Xyp_debug", e.tostring ());} catch (Certificateexception e) {log.d ("Xyp_debug", e.tostring ());} catch (IOException e) {log.d ("Xyp_debug", e.tostring ());} catch (Generalsecurityexception e) {log.d ("Xyp_debug", e.tostring ());}}

3. How the certificate is compressed:

Zip-r Media.zip Media.x509.pem

The *.X509.PEM is packaged directly into a ZIP file and then placed in the appropriate position on the target board;

Use the Certificatepath in the first step to point to the location where the zip file is stored.

APK Installation Filter Method: Package name Whitelist, certificate authentication