Android browser and basic authentication


The one thing I like about the Android platform compared to the other platforms is the ability to install software from anywhere you like. The platform isn’t locked down to one application source like some of the competing platforms. This ability to install software from multiple sources enables some nice possibilities to the development and testing process. One particularly helpful ability is that when you are developing a custom application, you can send a testing apk to the customer and he or she can install and test it without a major hassle. To take this even further, you can even host the apk on your own web server and the customer can install it from there with the Android browser.

Building an apk and serving it with a web server is a piece cake, but what is astonishing is the fact that if you want to be secure and use basic authentication when serving the apk, Android fails miserably. The built-in Android download manager doesn’t support basic authentication at all, something that the desktop browsers have supported for ages. And what’s more troubling is the fact this defect has been reported to Google over two years ago and no visible progress on this issue has been made.

Luckily there are a ways to overcome this problem. One solution suggested in the comments of the original bug report was to allow access to all who identify themselves as Android download managers. I’m not a fan of this approach since anybody who knows the url can download the apk without giving any password. My solution to this problem is to server the files through a server side script, php for example, that requires a valid password before any data will be sent. That way the client doesn’t need to support basic authentication but the apk will still be password protected.