I'm build an Android kiosk app (runs as Device Owner) that will not be in the Google Play Store and will be provisioned by QR Code.
Until now, things have been working pretty well. I can sign my app, build a QR code and get a factory reset tablet (Samsung Galaxy Tab A) to read the QR code install the app and start as a kiosk. I did this all using a local web server that is not secured or on the internet.
Now, I'm moving to using our public facing web server that is protected via Basic Auth. I've tried just using a regular url in the QR code like this:
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://<fully_qualified_server_name>/<path_to_apk>/<apk_name>"
Obviously with the <>s filled in correctly. This doesn't work, but isn't too surprising. I was just hoping Samsung/Google's software would be smart enough to prompt me for a username and password.
So, then I tried it with the username and password inside the QR code:
"android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION": "https://<username>:<password>@<fully_qualified_server_name>/<path_to_apk>/<apk_name>"
But this didn't work either. Both fail with the helpless error message:
Oops! Couldn't download the admin app.
The second URL works correctly with wget, so I don't think there is a typo here. the first one fails with wget, because it needs the username and password.
Since the tablet isn't configured yet, I can't turn on USB debugging to find a more helpful error message.
Is there a way to make this work with basic (or any) authentication? Or any ideas on how to get a more helpful error message?
UPDATE
Looking at the access log from our web server, we can see the same URL working correctly from a web browser or wget, but Android fails with:
<hostname_redacted> 72.48.253.220 - - [11/Jun/2018:10:35:14 -0500] "GET /2.13.0/ORPanel-0.1-release.apk HTTP/1.1" 401 487 "-" "AndroidDownloadManager/7.0 (Linux; U; Android 7.0; SM-T580 Build/NRD90M)"
We are currently thinking, we'll allow downloads of APKs from "AndroidDownloadManager" without a username and password. Lame security by obscurity, but I'm not seeing a better option. Constructively, it keeps the username and password out of the QR code.
Underneath, the QR provisioning code is using the AndroidDownloadManager which apparently doesn't support Basic Auth in the URL and the provisioning code doesn't have arguments to provide a username and password. So, to work around this short coming (thanks, Google!), we changed the htaccess on our Apache Web Server to allow UserAgents that start with "AndroidDownloadManager" and are requests a .apk file, then you don't need to authenticate.
Here is our .htaccess:
SetEnvIfNoCase User-Agent "^AndroidDownloadManager" ANDROID
AuthType Basic
AuthName "Inst"
AuthUserFile <redacted>
require valid-user
<FilesMatch "\.(apk)$">
Order allow,deny
Allow from env=ANDROID
Satisfy Any
</FilesMatch>
Not really the best, but Google doesn't provide the hooks for the best.