Integrating the Android System Service Application
Most enterprises use devices that are customized for their requirement. For example having a custom android device that functions as a POS. In such situations organizations prefer to have and maintain custom firmwares or get device vendors to build a custom device to suite their requirement. For example apps or devices having the capability to sign their POS app with the vendor firmware signing key and install it on devices as a system app.
WSO2 IoTS provides a separate service application that can be signed by a firmware signing key and installed on the devices as a system application alongside the Android Agent application. This enables you to have better control over the devices registered with WSO2 IoTS. Since this is a system app it provides system level capabilities, such as device firmware upgrade, reboot and enforcing security policies, and much more.
For more information on managing the system service Android application see the following subsections:
Securing Communication
When the system service app is installed on a device that is registered with WSO2 IoTS, the Android Agent communicates with it to trigger system level operations from the WSO2 IoT Server. The communication between the system service application and the Android agent is secured by two layers of protection as listed below:
Via the signature - The system will grant permission only if the requesting application is signed with the same certificate as the application that is declared in the permission.
For more information on securing the communication, see <permissions> on the Android Developer documents.
- Check the package name of the intent who makes the call to verify that it’s a request from the Android agent.
Integrating the system service application
Follow the steps given below to integrate the system service Android application:
- Â Build the system service application.
- Download the source code.
- The system service app can not be built via the usual android developer SDK, as it requires access to developer restricted APIs. Therefore, you need to replace the existing
android.jar
file that is under the<SDK_LOCATION>/platforms/android-<COMPILE_SDK_VERSION>
directory with the explicitly builtandroid.jar
 file that has access to the restricted APIs.Â
Download the Android Open Source Project (AOSP) and build the source code to get thejar
file for the required SDK level. - Open the system service application source code via Android Studio and clean build it as a usual android application.
Sign the system service.
Sign the application via the device firmware signing key. If you don’t have access to the firmware signing key, you have to get the system application signed via your device vendor.ÂFor more information of singing the system service, see Signing Your Applications.
Install the system service application by following any of the methods given below:
 If you have your own firmware, the system service application will be available out of the box with your firmware distribution.
Copy the signed system service APK file to theÂ
/system/priv-apps
directory of the device.ÂWhen the device boots or restarts for the first time, it will automatically install the application as a system application.
Install the system service application externally via an Android Debug Bridge command.
For more information on how this takes place on WSO2 IoTS, see Configuring the service application
Enable the system service invocations through the WSO2 Â Android Agent application
Make sure to sign the Android-Agent using the same device firmware signing key that was used to sign the System Service Application, else you will run into security exceptions.
Navigate to theÂ
Constants.java
class, which is in theorg.wso2.emm.agent.utils
package and configure theÂSYSTEM_APP_ENABLED
field as follows:Â public static final boolean SYSTEM_APP_ENABLED = true;
- Rebuild the Android agent application.
- Rename the created
.apk
 file toÂandroid-agent.apk
. - Copy the renamed file and replace it instead of the existingÂ
android-agent.apk
. file that is in theÂ<IOTS_HOME>/repository/deployment/server/jaggeryapps/android-web-agent/app/pages/mdm.page.enrollments.android.download-agent/public/asset
 directory.
You can now start enrolling your Android devices. For more information, see Android.
Operations supported via the system service application
The following operations are supported via the system service application:
Device Reboot | Restart or reboot your Android device. |
---|---|
Firmware upgrade | Upgrade the firmware of Android devices. |
Enforcing user restrictions | Restrict different functions on the user's device using this REST API. When adding a policy you will have the option of saving the user restriction policy or saving and publishing the user restriction policy. |
Silent app installation, removal and update | Application installation, removal and update will be performed without the user's confirmation when the Android system service application is available on an Android device. This operation is only available for enterprise applications (apps that were created by your organization) and is not available for public applications (publicly available apps, such as free apps available online). |