Allow an app to download another app?

[Sunny Rio]

I'm running Yoyo at home. https://www.rechenkraft.net/yoyo/
It works on Android 4 and 7, but not 9.
The Yoyo folk say Google made Android 8.1+ prevent an app downloading another app.
How can I allow it to do this?
https://www.rechenkraft.net/forum/viewtopic.php?f=57&t=17380

 

[mikedt]

Apps can do that, because that's exactly what third-party app stores and repos can do, APKpure etc. However the user must give permission manually for the app store to download and install whatever app they've chosen. And the chosen app doesn't automatically run of course.

I've never heard of this Yoyo at home, but it sounds like something that their devs need to fix ASAP. And when I clicked on their site's "download" it takes me to what looks like a source code repo. https://www.rechenkraft.net/yoyo/download/download/ Do you have to build it yourself?

You wouldn't want any software or app able to arbitrarily download, install, and execute some whatever other software/app(that could be malicious) on any OS, that's basic software security-101.

 

[Sunny Rio]

That's what I'm asking, how can I give permission for it to do this? I trust them.

What do you mean by "doesn't automatically run"?

I don't have to build anything, it's just a Boinc project that runs on my phone (or computer) and does science work. I attach to their project and the Boinc client installed on my phone or computer runs their software.

Not sure what's happening here. I installed one program called Boinc (look it up), that then downloads a program for any project I attach it to (medicine, maths, astrophysics, whatever), and runs it. They all work just fine except this one, which then downloads a program itself. Why is Android making this distinction? I install program A, it installs program B, that installs program C. Only at C does Android have a hissy fit, yet B was ok?!?

I don't like your attitude about security. It's MY phone and if I want to trust someone implicitly, that should be MY choice, not Google's.

 

[mikedt]

That's what I'm asking, how can I give permission for it to do this? I trust them.

What do you mean by "doesn't automatically run"?

I don't have to build anything, it's just a Boinc project that runs on my phone (or computer) and does science work. I attach to their project and the Boinc client installed on my phone or computer runs their software.

I only had the site you posted in your OP, and when i clicked the Downloads, it took me to some repo of code, and no obvious Android APK for me to install and try.......

What is one supposed to do with the that?

Not sure what's happening here. I installed one program called Boinc (look it up), that then downloads a program for any project I attach it to (medicine, maths, astrophysics, whatever), and runs it. They all work just fine except this one, which then downloads a program itself. Why is Android making this distinction? I install program A, it installs program B, that installs program C. Only at C does Android have a hissy fit, yet B was ok?!?

If the others are working, why not this one then then? Seems to me these particular developers need to perhaps fix and update their stuff, so it can work like the others. Has this Yoyo and home thing really not worked since Android 8 or 9? That's quite a long time. How many other Android users are howling about it?

I don't like your attitude about security. It's MY phone and if I want to trust someone implicitly, that should be MY choice, not Google's.

Well it's your hardware, but the proprietary software that's on it isn't yours, that belongs to Google and/or the device's manufacturer, e.g. Samsung etc. Unless you root it and install an open source custom ROM. BTW this has nothing to do with my attitude, it's fact of how it is with most Android phones and tablets.

 

[Hadron]

Sounds like B doesn't have the permission to download and install. Possibly it isn't written to request that permission. If it's a separate app then A having permission doesn't help B, if it's more some sort of sub-module it would depend on how B tries to download and install (if it is still trying to do it Android 5 style that's the problem, but if it could get A to do it you'd expect that to work).

As for "attitudes to security" remember that it's Google's attitude you have a problem with, not Mike's. You can grant any app the permission to install apps if that app requests it. Under the old model you could choose to either allow all third party apps to install other apps or none, but once you granted that it allowed malware to use the ability, and even if the user realised that an app was being installed they wouldn't know what had done it. That's why having to authorise the individual app is better for security, because if a flashlight asks to be allowed to install apps all but the dimmest people would get suspicious, whereas previously if you'd turned on the permission so that you could use a third party app store that malicious flashlight would have free rein.

 

[Sunny Rio]

I only had the site you posted in your OP, and when i clicked the Downloads, it took me to some repo of code, and no obvious Android APK for me to install and try.......

Not sure how you got to that list of files, that's some source code if you want to play with it - they encourage people to optimise code, or recompile for a new OS etc.

The home page is https://www.rechenkraft.net/yoyo/ and near top left is:

• This project uses BOINC. If you're already running BOINC, select Attach to Project. If not, download BOINC.

When you click download Boinc you are taken to https://boinc.berkeley.edu/download.php which gives you the download. If it's the wrong OS, there's "all versions" below it.

Boinc is the only program you actually install. Then you tell that to run any number of projects you're interested in. It then (successfully) downloads executable files from various projects and runs them, without the phone even pestering me for approval. For some reason, I think Yoyo's executable then downloads an executable, which is perhaps getting the OS upset. It seems to be fine with a program I installed running other programs, but no further nested that that.

If the others are working, why not this one then then? Seems to me these particular developers need to perhaps fix and update their stuff, so it can work like the others. Has this Yoyo and home thing really not worked since Android 8 or 9? That's quite a long time. How many other Android users are howling about it?

The developers can't be bothered, they blame Google for changing what used to work fine. I'm still running it on an Android 4 and 7 device. Also Yoyo runs on PC CPUs, so probably 95% of their work is done on Windows/Mac/Linux machines, not Android.

Well it's your hardware, but the proprietary software that's on it isn't yours, that belongs to Google and/or the device's manufacturer, e.g. Samsung etc. Unless you root it and install an open source custom ROM. BTW this has nothing to do with my attitude, it's fact of how it is with most Android phones and tablets.

What is on my phone belongs to me. In whatever way Google got payment from me for it, through advertising, from Samsung, whatever. It's mine. Just as the engine in my car belongs to me.

Tesla are apparently doing something similar - I buy a new Tesla, get all the optional upgrades (which are just switched on by software), then I sell you the car 3 years later. Tesla actually disable them! They then ask you to pay for them AGAIN! They've sold the same thing twice. They got away with it in a US court, but public opinion disagreed so they returned the extras to the second owner to save face.

 

[Sunny Rio]

Sounds like B doesn't have the permission to download and install. Possibly it isn't written to request that permission. If it's a separate app then A having permission doesn't help B, if it's more some sort of sub-module it would depend on how B tries to download and install (if it is still trying to do it Android 5 style that's the problem, but if it could get A to do it you'd expect that to work).

As for "attitudes to security" remember that it's Google's attitude you have a problem with, not Mike's. You can grant any app the permission to install apps if that app requests it. Under the old model you could choose to either allow all third party apps to install other apps or none, but once you granted that it allowed malware to use the ability, and even if the user realised that an app was being installed they wouldn't know what had done it. That's why having to authorise the individual app is better for security, because if a flashlight asks to be allowed to install apps all but the dimmest people would get suspicious, whereas previously if you'd turned on the permission so that you could use a third party app store that malicious flashlight would have free rein.

If I go to system, apps, I can see A (Boinc). Why can I not see B (Yoyo)? Then I could tell the OS to be nice to Yoyo. Yoyo is an executable, so are the other things running under A, like Universe. They aren't listed either.

Actually this is even more weird - under A (Boinc) there is "permissions - no permissions required", so how is it downloading B?

Ok, now I found a menu within that permissions to show app capabilities. Boinc (A) has:
run at startup
have full network access
prevent phone from sleeping
view network connections
close other apps
run foreground service

Not sure what in there lets it download and run an executable. Run foreground service?

 

[Hadron]

The definition of a foreground service in Google's developer documentation doesn't sound like something that can download and run an executable.

However I notice that the BOINC documentation says that on Windows and Mac it uses VirtualBox. So my guess is that the BOINC Android client is running your applications in a virtual machine. That would mean that they are not installed as actual Android apps, which is why no special privileges are needed: the applications would be downloaded as data blobs by BOINC and then run within BOINC. Of course I've not found anything about what environment BOINC uses on Android, so there's a big element of speculation here, but since the applications like YoYo or LHC@Home work on different computer platforms it makes sense that BOINC is using a virtual machine: otherwise they would have to be built separately for each platform (Windows, Mac, Linux, Android, etc). And while Android is based on the Linux kernel, its runtime environment is very different so some additional trickery would be needed for it to run linux applications.

If this guess is right then YoYo would not be installed as an android app the way BOINC is, and so there's no way for it to ask for permission to install anything: YoYo is probably a linux app running in a virtual environment provided by BOINC. I don't have time to research how YoYo's own modules work, but my guess is that whatever virtual environment BOINC is running YoYo in doesn't support the way that at least some YoYo projects work. I do notice that while YoYo itself is described as compatible with Android only a small number of the sub-projects list Android amongst the available platforms.

But I'll also note that that last comment in the YoYo forum said that BOINC doesn't work at all in Android 10+ because of the inability to download executables. This seems unlikely since the BOINC android APK is more than a year newer than that comment, so I don't think they fully understood the issues.

In any event I don't think this is a matter of granting that permission to YoYo or even BOINC, because there is nothing here that is asking for the permission in the first place.

 

[mikedt]

Not sure how you got to that list of files, that's some source code if you want to play with it - they encourage people to optimise code, or recompile for a new OS etc.

The home page is https://www.rechenkraft.net/yoyo/ and near top left is:

• This project uses BOINC. If you're already running BOINC, select Attach to Project. If not, download BOINC.

When you click download Boinc you are taken to https://boinc.berkeley.edu/download.php which gives you the download. If it's the wrong OS, there's "all versions" below it.

Boinc is the only program you actually install. Then you tell that to run any number of projects you're interested in. It then (successfully) downloads executable files from various projects and runs them, without the phone even pestering me for approval. For some reason, I think Yoyo's executable then downloads an executable, which is perhaps getting the OS upset. It seems to be fine with a program I installed running other programs, but no further nested that that.

The developers can't be bothered, they blame Google for changing what used to work fine. I'm still running it on an Android 4 and 7 device. Also Yoyo runs on PC CPUs, so probably 95% of their work is done on Windows/Mac/Linux machines, not Android.

Maybe I'll try it, I have an old Dell laptop that someone gave to me, now running Ubuntu.

What is on my phone belongs to me. In whatever way Google got payment from me for it, through advertising, from Samsung, whatever. It's mine. Just as the engine in my car belongs to me.

Think that's how it used to be, Like with the 1981 Vauxhall Chevette I used to drive, that didn't have any computers in it whatsoever. And the engine had points, coil, condenser, distributor., and a carburettor. Unlike modern cars, what goes on in those ECUs isn't yours, that belongs to Ford, GM, VW, Nissan, Toyota, Honda, etc. And if it doesn't go, good luck trying to find out why, and only the approved dealerships can fix it.

Tesla are apparently doing something similar - I buy a new Tesla, get all the optional upgrades (which are just switched on by software), then I sell you the car 3 years later. Tesla actually disable them! They then ask you to pay for them AGAIN! They've sold the same thing twice. They got away with it in a US court, but public opinion disagreed so they returned the extras to the second owner to save face.

Yeh, the proprietary software in Teslas isn't your property.

 

[Sunny Rio]

However I notice that the BOINC documentation says that on Windows and Mac it uses VirtualBox. So my guess is that the BOINC Android client is running your applications in a virtual machine.

I'll stop you there and you can reconsider. Boinc CAN run virtualbox on PCs, but it's only for a few projects that want to run Linux programs on any machine using their exact OS image to make things precise. Most Boinc stuff on PCs just runs a normal executable file native to whatever OS you have. Only LHC, Cosmology, Rosetta, QuChemPedia use Virtual box. The other 30ish projects do not.

 

[Sunny Rio]

Think that's how it used to be, Like with the 1981 Vauxhall Chevette I used to drive, that didn't have any computers in it whatsoever. And the engine had points, coil, condenser, distributor., and a carburettor. Unlike modern cars, what goes on in those ECUs isn't yours, that belongs to Ford, GM, VW, Nissan, Toyota, Honda, etc. And if it doesn't go, good luck trying to find out why, and only the approved dealerships can fix it.

Yeh, the proprietary software in Teslas isn't your property.

It's on my driveway, it's mine. This is basic common sense. There is in fact a company that will unlock the hidden abilities of the car you paid for without giving more cash to Tesla.

Anyway, we're not talking about the software as such, you seem to be considering something more along the lines of me maybe using the source code and making my own program and selling it for a profit. I'm talking about a physical thing in your car which the software has disabled. That physical thing, AC unit, extra acceleration, extra range, whatever, is mine, and obviously mine.

It seems their idea is to make the cars cheaper by making them all top of the range, then you pay for the bits you want to use. But then when you sell it, they try to charge for those extra bits again!

In any case, if the thing is in front of me, I will use it. If they don't allow me to, then I won't be ever buying a car from that criminal company.

 

[Hadron]

I'll stop you there and you can reconsider. Boinc CAN run virtualbox on PCs, but it's only for a few projects that want to run Linux programs on any machine using their exact OS image to make things precise. Most Boinc stuff on PCs just runs a normal executable file native to whatever OS you have. Only LHC, Cosmology, Rosetta, QuChemPedia use Virtual box. The other 30ish projects do not.

It doesn't change the fact that there's no way for the user to do what you originally asked. The user can only grant permissions to things installed as normal Android apps (and hence visible in the system Settings), and only if those apps request the permissions in the first place. From your own description the BOINC projects are not installed that way, so they can't interact with the permission management and you can't grant them permissions. And BOINC itself doesn't ask for this permission (it clearly doesn't need it). So as far as anything you can do goes, that's it.

Perhaps the YoYo team could work with the BOINC team to allow YoYo to use BOINC's features to download and run its modules the way BOINC downloads and runs YoYo itself? But that would be a matter for those 2 development teams. All I can suggest is telling YoYo that it doesn't work and see whether they can propose anything.

 

[Sunny Rio]

It's odd, I never gave permission for Boinc to download and run executables, and yet it can. Maybe I did years ago, since I used a Samsung utility to copy all the apps from my old Android 7 phone to this one, so it might have copied permissions. But there definitely aren't permissions for Boinc to do that when I look at it's info.

Yoyo said they had no interest in fixing it two years ago when someone else complained. I guess they designed it badly and got away with it until android got more secure. boinc is not the easiest thing to work with, they probably tried and failed to get it's own downloader to function. When you say "Boinc team" - actually that's one guy, a volunteer out of work programmer. nothing ever gets fixed.

My Android 4 phone is absolutely awful at security, it's full of Adware and nothing even rooting gets rid of it, every single time I turn on the screen a browser opens with an advert. Probably (knowing the source) it was injected into the OS at the factory.