> In looking through the various threads, I see that there are some
> questions on how to handle application storage on SDCARD safely and
> securely.
> I would like to propose a mechanism for handling this in a manner that
> is fair, safe, and secure, however there are bound to be questions
> and or unforseen issues.
> First, in simplest form, the minimum requirements:
> 1) Application and all application data to be stored externally on
> sdcard.
> 2) SDCARD must be able to be removed and replaced at will, including
> possibility of being replaced with a different sdcard.
> 3) Contingency must be made for possibility of installing application
> both internally as well as on sdcard.
> 4) Protected applications installed to sdcard must remain secure.
> 5) Insertion of sdcard into another device should allow application to
> function in other device except in the case where the application is
> "protected".
> 6) SDCARD must be protected from MS-hostility, i.e. mounting sdcard to
> a computer (via usb to phone) must not prompt non-expert users that
> they should format it.
> Scheme:
> i) Need to segregate a group of user id's for use as sdcard-UIDs (i.e.
> 20000-29999).
> ii) Need app, app-private, data, and dalvik-cache directory on sdcard.
> iii) Need a packages.xml on sdcard.
> iv) Upon unmount need to (in order):
> a) kill all running sdcard processes.
> b) refresh package list (modify the package manager to update package
> status by rereading /data/system/packages.xml and sdcard's
> packages.xml).
> c) actually unmount the partition.
> v) Need to modify installer to prompt for where to install to (if
> sdcard is available).
> Problems:
> 1) When sdcard is yanked-without-unmount by non-expert user, running
> application may crash.
> 2) Multiple current installations of the same application -- how to
> select between?
> 3) Copying of protected applications is trivial.
> 4) How to control per-process permissions on a card from an unknown
> source?
> 5) How to safely allow sdcard to be mounted to a separate computer
> without non-expert user reformatting.
> 6) SDCARD applications added to the home screen.
> Solutions:
> 1) Android already kills off background processes to free up memory.
> This can be extended to kill off ALL background processes running on
> SDCARD. The problem here is in the event that a running/foreground app
> is forcibly removed. SDCARD removal (forcefully) should kill all
> processes that would safely be killed off for memory cleanup, and
> forcefully (kill -9) all processes that can't be safely killed. Should
> also show the user an error message that says something like "You
> removed the sdcard without unmounting, the following sdcard
> applications were running and had to be killed. All unsaved data has
> been lost." There is no need to get fancy and save the application
> states.
> 1b) In the event that the user chose to safely unmount the sdcard, IF
> there are running applications, show a message like "The following
> applications on the SDCARD are currently running: ... If you continue,
> these applications will be killed. Would you like to proceed?"
> 2) In the event of multiple of the same applications installed
> (internal and sdcard), choose to run the one on INTERNAL (do not add
> the external one to the application manager). I.e., when scanning the
> applications on the sdcard, if (application exists on internal memory)
> do not add to application manager. The assumption being that if you
> have it installed internally, then the REASON is that you want it to
> be available when you remove or change sdcard.
> 3) Two possible solutions to this;
> a) (I don't like this one) -- don't allow protected apps to be
> installed to sdcard at all. This would be perceived as hostile to
> software vendors wishing their apps to be copy protected.
> b) encrypt protected app's apk and dalvik cache using a key stored
> internally. If the card is inserted into another device, it will not
> have the necessary decryption key and therefore can either not show
> the application at all, or it can show the application as "not
> licensed for this device".
> (*) note: it is not necessary to secure non-protected apps, free or
> priced, since it is by the seller choice that there is no copy
> protection on the app.
> 4) THIS IS A BIG ONE... Insertion and removal of other sdcards,
> particularly given the possibility that the sdcard belongs to someone
> else and/or stands the possibility that it has been tampered with. I
> suggest that there be a group of secure databases on the sdcard, one
> for each device that the card has been inserted into, this database is
> encrypted by the devices encryption key (the same one as 3(b)). If you
> insert an sdcard which has not been used in your device before, it
> will create a new encrypted database and ask which applications to
> allow (showing, of course, their permission requests). The resulting
> database would hold the kind of data corresponding to /data/system/
> packages.xml. There would, of course, also be an option to delete the
> databases for "other" devices (which would prompt the same rebuild).
> There must be, of course, a "master" databases on the sdcard showing
> ALL installed apps, upon insertion, this must be compared to the per-
> device database resulting in the user being prompted for any new
> applications and for removing from the per-device database, any
> obsolete entries.
> 5) Since due to other-device compatibility, it must remain fat32,
> there are two options I can think of;
> a) loopback filesystem within the primary fat32 filesystem. This would
> fly under the radar of MS's hostility routines. Secondary benefit is
> that it would easily allow advanced users to 'mount -o loop' the
> application filesystem.
> b) modify the mass storage controller code to only show the fat32
> filesystem. Makes it a little more akward for advanced users.
> (*) there is another FEATURE that could be added, not exactly
> relevant, but related... Change the mass storage driver to present a
> *virtual* filesystem, i.e., be able to leave the sdcard MOUNTED, but
> still grant access to it (i.e. how NFS is able to share a filesystem
> to (multiple) other machines without making it unavailable to the
> host.
> 6) Two options;
> a) tag it as unavailable. If a different sdcard is inserted containing
> the same app, it would also activate that one. If the same app is
> later added to internal, it would activate that, i.e., the intent
> would be the same since it isn't related to the UID.
> b) don't allow sdcard apps to be added to the home screen. This is
> just slightly easier, but not by much. It is also less "cool".
> I would like to hear about any holes in this scheme that anyone can
> think of.
> And please, if you wish to contribute, be precise about any problems
> that you see with this, and if possible, a solution *within the
> bounds* of the infrastructure I have presented. I would rather not
> have this degenerate into a "yeah, its nice, but wouldn't it be cool
> if we did this instead". I would like comments that are constructive
> with respect to making these suggestions happen with absolutely as
> little modification as is required.
> If we are able to come up with a concrete logical scheme, then at that
> point I would like to begin working on this from an implementation
> perspective, i.e., how to *actually* make it happen.
