Hi All, We have come up with the following architecture for the $subject after going through the possibilities. This is basically for COPE (Corporate Owned Personally Enabled) devices. This system service will basically require root (system level) access from android system. Therefore this can be used when the device has corporate owned (customized) firmware or when there's a possibility of vendor signing [1] the system service app. In these scenarios above mentioned system service application will run as a system app in the device.
The reason for us to come up with this approach is to enable enterprises to have full control over the devices (COPE) by enabling system level features such as silently install/uninstall apps, execute shell commands as super user, reboot device, retrieve system logs, OTA (Over The Air) update device firmware control advanced system settings etc. This system service runs as a separate service where our android agent application can invoke this service to get above operations executed. Reason for us to separate this service from our agent app is to have the flexibility of using a single agent app for both COPE and other (BYOD/Mixed) scenarios. So the agent app will externally invoke this service in cases of COPE operations mentioned above. Basic communication flow is as follows, *Security level* To make the system service secured, we made the system serviced access level to "signature"[2]. This means only the apps signed with the same key as the key used to sign the system service ONLY can access the system service application. Therefore the EMM Agent app and the system service need to be signed with the same signing key when deploying. Also the system service will not be visible in the foreground in any scenario since it's a standalone service runs in the system. Two apps will communicate by using the Messanger/Handler mechanism[3]. [4] for further explanations on the communication protocol. Please go through the above and reply to the same thread if you have any concerns. [1] - https://source.android.com/devices/tech/ota/sign_builds.html [2] - http://developer.android.com/training/articles/security-tips.html#IPC [3] - http://developer.android.com/guide/components/bound-services.html [4] - http://www.truiton.com/2015/01/android-bind-service-using-messenger/ Thank you -- Kasun Dananjaya Delgolla Software Engineer WSO2 Inc.; http://wso2.com lean.enterprise.middleware Tel: +94 11 214 5345 Fax: +94 11 2145300 Mob: + 94 771 771 015 Blog: http://kddcodingparadise.blogspot.com Linkedin: *http://lk.linkedin.com/in/kasundananjaya <http://lk.linkedin.com/in/kasundananjaya>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
