Incorporating Prebuilt APK as Device Admin in AOSP Build with Pre-Granted Runtime Permissions for Android 14

Question

I am working on integrating a prebuilt APK into an AOSP (Android Open Source Project) build for an Android 14 based system, and I would like to configure it as a device admin and owner. Additionally, I need to pre-grant some runtime permissions to this app.

Here's what I have and what I'm looking to achieve:

1. Prebuilt APK: I have an APK that I want to include in the AOSP build without modifying its source code.

2. Device Admin and Owner: This app needs to be set as the device admin and owner.

3. Runtime Permissions: Some permissions, which are typically granted at runtime, need to be pre-granted as the app will serve a critical role in the system.

My questions are:

1. Prebuilt APK Integration: What is the best approach to add a prebuilt APK into the AOSP build system?

2. Device Admin Setup: How do I set up my prebuilt app as the device admin and owner during the build process?

3. Pre-Granting Permissions: What steps are necessary to pre-grant specific runtime permissions for my app on Android 14, considering the new permission model changes?

4. Android 14 Considerations: Are there any specific changes or considerations I should be aware of when performing these tasks for Android 14?

I have searched through the documentation and existing Stack Overflow questions but haven't found a definitive guide that encompasses these requirements for Android 14. Any help or pointers towards the right documentation would be greatly appreciated!

Thank you in advance for your assistance!

Here's what I've tried so far:

1. Placing the APK: I placed my APK in the packages/apps directory.
2. Build Configuration: I added the name of my app to the PRODUCT_PACKAGES in build/target/product/handheld_system.mk.
3. Privileged Module: Initially, I set LOCAL_PRIVILEGED_MODULE to true in the Android.mk file for my app. However, this causes the app not to appear after boot.

When I remove LOCAL_PRIVILEGED_MODULE, the app shows up, but then it doesn't have the system privileges needed to function as a device admin.

I was expecting that setting LOCAL_PRIVILEGED_MODULE would make my app a system privileged app with the necessary permissions and admin capabilities, but it seems to be preventing the app from being installed correctly.

Answer 1

1. Bundling a prebuilt APK - priv-app directory is a good place, but also needs a permission whitelist.xml so make sure you provide that. Ref: Privileged Permission Allowlist
2. Pre-granting a few permissions: You can follow the default-permissions xml way, : Android permissions for system developers . Example from Android 7: ( I have tried this in 10 and it did work there) https://android.googlesource.com/device/google/marlin/+/nougat-dr1-release/default-permissions.xml

Also, keep in mind, your app may also cause SE Linux denials, so be ready to modify some sepolicy and write supporting rules.