A more secure evolution of the legacy PackageInstaller class.

Datalogic is committed to providing secure and reliable devices for your business operations. As part of our continuous efforts to enhance device security, we have implemented a significant security enhancement for the Package Installer functionality on Datalogic devices. This enhancement addresses a vulnerability reported by Google and aims to provide more granular control over device functionality, ultimately reducing risks associated with potential attacks and undesirable behavior. This technical note will explain the changes, their impact, and guide you through the necessary steps to configure your devices and applications to ensure continued seamless operation.

Background: Understanding the Vulnerability

Previously, the Package Installer APIs allowed any application to request an APK file installation bypassing the REQUEST_INSTALL_PACKAGES permission. This capability was provided to support enterprise scenario which requires application installation without final user authorization (silent installation). This meant that a malicious apps could bypass sensitive permission to silently install new APKs without user interaction, posing a potential security risk.

Enhancing Control While Preserving Utility

Especially in business and enterprise environments, companies often need to maintain control and management of devices without requiring employee interaction for configuration settings or unattended app installations.

However, to mitigate the security vulnerability and enhance overall device integrity, we have introduced a controlled access over device functionalities that may have security implications, like the app installation. It enables customers to specify which applications can access sensitive features by associating authorized applications with their package names and certificates, providing a tailored whitelisting solution.

How the Access Control Works.

The system operates primarily in two security modes: Permissive and Enforced.

Permissive Mode: In this mode, security is inactive, and applications are allowed to use the Package Installer APIs without restriction. This mode is primarily intended to ensure backward compatibility for devices already deployed in the field or those upgrading from older firmware versions.
Enforced Mode: In this mode, security is active, and applications are restricted from using the Package Installer APIs unless they are explicitly authorized. This mode is the default for newly installed devices (first-boot behavior) or after a factory reset on a new firmware version supporting this feature.

Impact on Your Operations and How to Configure

For New Devices or After a Factory Reset: If the device is either brand new or has been factory reset while running the firmware version listed in the table below, or any later version, the Security Mode will be Enforced by default, and the Package Installer API will be locked from further access. Any interaction with the API by non-whitelisted apps will throw a Security Exception.

NOTE: To allow your applications to utilize the Package Installer functionality, you must whitelist them.

For Devices Upgrading Firmware: If the device firmware is upgraded from an earlier version to the firmware version listed in the table below, or any later version, the Compatibility Mode will be Active, and the Security Mode will remain Permissive. This means the Package Installer API will be left "unlocked" to maintain backward compatibility for existing users. Your existing applications should continue to function as before without immediate configuration changes.

Device	OS version	Firmware version	Build number
Joya Smart	A15	GA	not available yet
Memor 12 / 17	A15	GA	not available yet
Memor 30 / 35	A15	GA	3.03.005.20250616
Memor 12 / 17	A13	SMR 0.8	1.19.012.20250528s
Memor 30 / 35	A13	SMR 0.8	1.19.012.20250528s
MemorK 20 / 25	A13 – GMS	GA	1.01.03.20250522
MemorK 20 / 25	A13 – AOSP	GA	1.01.04.20250613
Memor 11 A13	A13	SMR 7	2.07.16.20250523s
Joya Touch 22	A13	SMR25.06	4.07.000.20250601s
Skorpio X5	A13	SMR25.06	4.07.002.20250611s
Memor 20	A13	SMR25.06	4.07.000.20250601s

How to Enforce the Security

If you wish to enable the full security enforcement and whitelisting features on an upgraded device that is in "Permissive" mode due to compatibility, you should perform a factory reset. A factory reset will automatically enforce the security settings by default, preventing malicious manipulation of settings and ensuring critical customer apps are protected.

How to Configure Security Enforcement and Whitelisting

The whitelisting mechanism cannot be configured via the SDK. To ensure device integrity, security enforcement and whitelisting can only be applied through authorized methods:

Scanning a Barcode via Scan2Deploy Studio: You can generate a barcode using Scan2Deploy Studio that includes your security and whitelisting configurations. Users can then set up security enforcement and whitelisting by scanning this barcode.
Sending Configuration via EMM/OEMConfig: For customers using Enterprise Mobility Management (EMM) or Mobile Device Management (MDM) solutions, you can configure security enforcement and whitelisting by sending the configuration via OEMConfig. IT administrators will have the ability to lock/unlock the API through their EMM interfaces.

Guidance for Configuring Your Applications

To ensure your applications continue to function correctly with the Package Installer, especially in Enforced Mode:

Identify Your Application's Package Name and Certificate: You will need the exact package name and the signing certificate of your application.
Use Scan2Deploy Studio or OEMConfig: Utilize one of these authorized tools to create or update your security configuration.
Add Your Application to the Whitelist: Specify your application's package name and certificate in the whitelist section of the configuration.
Deploy the Configuration: Apply the configuration to your Datalogic devices using the barcode scanning method or via your EMM/MDM solution.

For more detail see: Section below, Scan2Deploy Studio Overview, Datalogic OEMConfig Security Settings - SDK API access.

Scan2Deploy Studio Guidance – Step-by-Step Configuration

Open Scan2Deploy studio, then Create a new profile or Open an existing one.
In ActionSelection page, ensure that "Device and Scanner Settings" is enabled.
Go to the "Device Settings" Page, and browse the property tree.
Security Section allows to configure security-related features, such as allowing a user app to access dedicated Datalogic SDK APIs restricted for security reasons.
Datalogic SDK API access Section allows to authorize configured apps to access restricted SDK APIs.
Available settings:

Reset API Access List :
this switch clears any previous configuration on the device before applying the new one built in Scan2Deploy Studio.
PackageInstaller API Package
this section allows to configure the user apps to be authorized to access Package Install APIs. Only apps listed with valid package name and signature will be allowed.

Package Name is the text input field specifying the unique identifier of the application (e.g. com.datalogic.sample).
Package Signature SHA-256 Digest is the text input field specifying the SHA-256 hash of the application's signing certificate. This ensures that only the correctly signed version of the app is allowed (e.g. E8:F2:D1:C0:6F:0F:A9:C0:F...).

Add button can used to add other apps

Conclusion

This security enhancement is a crucial step towards making Datalogic devices even more secure and robust, protecting them from potential vulnerabilities while offering you greater control over their functionality. While it introduces new configuration requirements, particularly for new deployments or after a factory reset, our goal is to ensure business continuity and maintain the integrity of your operations. By following the configuration guidelines, you can ensure your applications continue to leverage the Package Installer seamlessly in a more secure environment.

New PackageInstaller Secure API