Hi,

Thanks for the information.

After you sideloaded the Main Components apk from apkmirror, were you then able to update in the future using the Samsung settings Biometrics and security > Google Play system update, or do you have to sideload the new Main Components apk from apkmirror every time?

Thanks,

Greg

Hi,

Ok. We'll see what happens in the future

I have been digging around this one. A great source of information: https://www.xda-developers.com/android-project-mainline-modules-explanation/ .

For an device launched with Android 10, such as the Samsung A41, all the following apks and apexs will be updated as a minimum with a Google Play Security Update if there is a newer version available:

Documents UI (apk)
ExtServices (apk)
Media Codecs (apex)
Media Framework Components (apex)
Module Metadata (apk)
Permission Controller (apk)
Time Zone Data (apex)

You can see the versions of each apk by finding the apps in Samsung settings: App > Show system apps.

You can see the versions of each apex by finding the apex in the folder System/apex/ (any good File Manager will do to find this folder, you don't need to be root). There is a file inside the apex folder called apex_manifest.json. This is a text file which can be opened to see the "version" number of the apex.

I have for the Google play system update February 2020:

Documents UI version q_release_aml_patch_291602100
ExtServices version q_pr1-release_aml_291900801
Media Codecs version 292100201
Media Framework Components version 292000301
Module Metadata version 01/02/2020
Permission Controller version q_pr1-release_aml_291900801
Time Zone Data version 291900801

I am just wondering if only updating Module Metadata (Main Components) with the version on apkmirror you are getting the complete system update? For example on apkmirror for Permission Controller there is a latest version: 300901600 from 8th December.

https://www.apkmirror.com/apk/google-inc/permission-controller/permission-controller-r_aml_300901600...

Any way you could check the versions you have?

Greg

Seems that not all gets updated with this manual method and some can't be pushed to the latest version as their updates are for Android 11+.

Thanks for the info

I find it hard to believe that Samsung haven't fixed this security issue. There are loads of threads about people experiencing the same thing. It seems to start after an OTA upgrade or device reset.

Greg

Hi,

Does any one from Samsung actually read these forums?

Here is a logcat of what happens when I manually try the Google play system update on the Samsung A41, and it tells me that I am up to date with February 2020. Clearly there is a failure in the device Package State Repository for the apps/apexs which Google is trying to update:

12-20 08:29:43.692 I/BufferQueueProducer( 629): [com.android.vending/com.google.android.finsky.systemupdateactivity.SettingsSecurityEntryPoint$_19246#0](this:0x7b82c6b800,id:3124,api:0,p:-1,c:629) queueBuffer: fps=24.28 dur=2265.19 max=1349.50 min=15.59
12-20 08:29:43.697 I/Finsky (19246): [2] gzf.c(3): PackageStateRepository holds no state for package: com.google.android.media
12-20 08:29:43.698 I/Finsky (19246): [2] gyp.h(2): Failed to fetch package info for com.google.android.media. App is likely not installed
12-20 08:29:43.699 I/Finsky (19246): [2] znj.g(8): Invalidating cached PackageState for com.google.android.tzdata
12-20 08:29:43.702 I/Finsky (19246): [2] znj.p(3): Package no longer installed: com.google.android.tzdata
12-20 08:29:43.705 I/Finsky (19246): [356] phs.run(16): Frosting DB delete succeeded: false
12-20 08:29:43.707 I/Finsky (19246): [2] pid.d(2): Frosting ID looked up on UI thread. Caller should move to a background thread.
12-20 08:29:43.711 I/Finsky (19246): [2] gzf.c(3): PackageStateRepository holds no state for package: com.google.android.tzdata
12-20 08:29:43.711 I/Finsky (19246): [2] gyp.h(2): Failed to fetch package info for com.google.android.tzdata. App is likely not installed
12-20 08:29:43.713 I/Finsky (19246): [2] znj.g(8): Invalidating cached PackageState for com.google.android.modulemetadata
12-20 08:29:43.719 I/Finsky (19246): [356] phq.run(16): Wrote row to frosting DB: 895
12-20 08:29:43.719 I/Finsky (19246): [2] pid.d(2): Frosting ID looked up on UI thread. Caller should move to a background thread.
12-20 08:29:43.724 I/Finsky (19246): [2] gzf.c(3): PackageStateRepository holds no state for package: com.google.android.modulemetadata
12-20 08:29:43.724 I/Finsky (19246): [2] gyp.h(2): Failed to fetch package info for com.google.android.modulemetadata. App is likely not installed
12-20 08:29:43.725 I/Finsky (19246): [2] znj.g(8): Invalidating cached PackageState for com.google.android.ext.services
12-20 08:29:43.731 I/Finsky (19246): [2] pid.d(2): Frosting ID looked up on UI thread. Caller should move to a background thread.
12-20 08:29:43.731 I/Finsky (19246): [356] phq.run(16): Wrote row to frosting DB: 896
12-20 08:29:43.736 I/Finsky (19246): [2] gzf.c(3): PackageStateRepository holds no state for package: com.google.android.ext.services
12-20 08:29:43.736 I/Finsky (19246): [2] gyp.h(2): Failed to fetch package info for com.google.android.ext.services. App is likely not installed
12-20 08:29:43.737 I/Finsky (19246): [2] znj.g(8): Invalidating cached PackageState for com.google.android.documentsui
12-20 08:29:43.742 I/Finsky (19246): [356] phq.run(16): Wrote row to frosting DB: 897
12-20 08:29:43.743 I/Finsky (19246): [2] pid.d(2): Frosting ID looked up on UI thread. Caller should move to a background thread.
12-20 08:29:43.748 I/Finsky (19246): [2] gzf.c(3): PackageStateRepository holds no state for package: com.google.android.documentsui
12-20 08:29:43.748 I/Finsky (19246): [2] gyp.h(2): Failed to fetch package info for com.google.android.documentsui. App is likely not installed
12-20 08:29:43.751 I/Finsky (19246): [2] znj.g(8): Invalidating cached PackageState for com.google.android.media.swcodec
12-20 08:29:43.753 I/Finsky (19246): [2] znj.p(3): Package no longer installed: com.google.android.media.swcodec
12-20 08:29:43.756 I/Finsky (19246): [356] phs.run(16): Frosting DB delete succeeded: false
12-20 08:29:43.757 I/Finsky (19246): [2] pid.d(2): Frosting ID looked up on UI thread. Caller should move to a background thread.
12-20 08:29:43.760 I/Finsky (19246): [2] gzf.c(3): PackageStateRepository holds no state for package: com.google.android.media.swcodec
12-20 08:29:43.760 I/Finsky (19246): [2] gyp.h(2): Failed to fetch package info for com.google.android.media.swcodec. App is likely not installed
12-20 08:29:43.761 I/Finsky (19246): [2] znj.g(8): Invalidating cached PackageState for com.google.android.permissioncontroller
12-20 08:29:43.766 W/WindowManager( 1249): removeWindowToken: Attempted to remove non-existing token: android.os.Binder@47e8308
12-20 08:29:43.766 I/Finsky (19246): [2] pid.d(2): Frosting ID looked up on UI thread. Caller should move to a background thread.
12-20 08:29:43.767 I/Finsky (19246): [356] phq.run(16): Wrote row to frosting DB: 898
12-20 08:29:43.769 I/Finsky (19246): [2] gzf.c(3): PackageStateRepository holds no state for package: com.google.android.permissioncontroller
12-20 08:29:43.770 I/Finsky (19246): [2] gyp.h(2): Failed to fetch package info for com.google.android.permissioncontroller. App is likely not installed

Would be great if someone from Samsung could actually give some feedback about this security issue on this community!

Greg

Hi,

I use my Samsung A41 for online banking and am now particuarly concerned about this security issue. One of the reasons that I bought this phone was the Samsumg update policy of it being eligible for three Android updates, which sounded impressive at the time...

However, now, if Samsung have abandoned the Google security system updates then I would not have bought the Samsung A41 or any other Samsung mobile phone.

This security issue has been posted on this community forum many times and there has been no response from Samsung. It seems like Samsung is choosing to ignore customers on this security issue.

Greg