In order to allow a UI that can "see" all the relevant downloads, there'll need to be a separate URI (or set of URIs) in the content provider: trying to use the exact same URIs for regular download control for UI purposes (distinguishing them based on the permissions of the caller) will break down if a same app (or actually a same UID) tries to do both. It'll also break down if the system process tries to do ular download activities, since it has all permissions.

Beyond that, there's little technical challenge: there are already mechanisms in place to restrict the list of columns that can be inserted, queried and updated (inserting of course makes no sense through UI channel), they just need to be duplicated for the case of the UI. The download provider also knows how to check the permissions of its caller, there isn't anything new here.

Getting rid of OTHER_UID

Right now OTHER_UID is used by checkin/update to allow the settings app to display the name of an ongoing OTA update, and by Market to allow the system to install the new apks. It is however a gerous feature, at least because it touches a part of the code that is critical to the download manager security (separation of applications).

Getting rid of OTHER_UID would be beneficial for the download manager, but the existing functionality has to be worked around. At this point, the idea that I consider the most likely would be have checkin and market implement =ContentProvider= wrappers around their downloads, and expose those content providers to whichever app they want, with whichever security mechanism they wish to have.

Only using SDK APIs.

It'd be good if the download manager could be built against the SDK as much as possible.

Here's the list of APIs as of Nov 5 2008 that aren't in the current public API but that are used by the download manager:

com.google.android.collect.Lists
android.drm.mobile1.DrmRawContent
android.media.IMediaScannerService
android.net.http.AndroidHttpClient
android.os.FileUtils
android.provider.DrmStore

Schedule

• No future milestones currently defined

Detailed Requirements

<> Codes 3xx weren't considered relevant when those requirements were written

System Architecture

+----------------------+    +--------------------------------------+    +-------------+
|                      |    |                                      |    |             |
|   Download Manager   |    |  Browser / Gmail / Market / Updater  |    |  Viewer App |
|                      |    |                                      |    |             |
+----------------------+    +--------------------------------------+    +-------------+
    ^    |    ^                                             ^                ^
    |    |    |                                             |                |
    |    |    |                                             |                |
    |    |    |      +---------------------------+          |                |
    |    |    |      |                           |          |                |
    |    |    |      |                           |          |                |
    |    |    +-------- - - - - - - - - - - - - ------------+                |
    |    |           |                           |                           |
    |    |           |                           |                           |
    |    +------------- - - - - - - - - - - - - -----------------------------+
    |                |                           |
    |                |                           |
    +--------------->|     Android framework     |
                     |                           |
                     |                           |
                     +---------------------------+

          Application                        Download Manager                         Viewer App
               |                                     |                                     |
               |         initiate download           |                                     |
               |------------------------------------>|                                     |
               |<------------------------------------|                                     |
               |        content provider URI         |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |           query download            |                                     |
               |------------------------------------>|                                     |
               |<------------------------------------|                                     |
               |              Cursor                 |                                     |
               |                                     |                                     |
               |       register ContentObserver      |                                     |
               |------------------------------------>|                                     |
               |                                     |                                     |
               |     ContentObserver notification    |                                     |
               |<------------------------------------|                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |    intent "notification clicked"    |                                     |
               |<------------------------------------|                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |      intent "download complete"     |                                     |
               |<------------------------------------|                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |            intent "view"            |
               |                                     |------------------------------------>|
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |           update download           |                                     |
               |------------------------------------>|                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |         open downloaded file        |                                     |
               |------------------------------------>|                                     |
               |<------------------------------------|                                     |
               |         ParcelFileDescriptor        |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |           delete download           |                                     |
               |------------------------------------>|                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               |                                     |                                     |
               v                                     v                                     v

Internal Product Dependencies

• [reverse dependency] GMail depends on the download manager to download attachments.
• [reverse dependency] OTA Update depends on the download manager to download system images.
• [reverse dependency] Vending Machine depends on the download manager to download content.
• [reverse dependency] Browser depends on the download manager to download non-browsable.
• Download Manager depends on a notification system to let the user know when downloads complete or otherwise require attention.
• Download Manager depends on a mechanism to share files with another app (letting apps access its files, or accessing apps' files).
• Download Manager depends on the ability to associate individual downloads with separate applications and to restrict apps to only access their own downloads.
• Download Manager depends on an HTTP stack that predictably processes all relevant kinds of HTTP requests and responses.
• Download Manager depends on a connectivity manager that reports accurate information about the status of the different data connections.

Interface Documentation

WARNING Since none of those APIs are public, they are all subject to change. If you're working in the Android source tree, do NOT use the explicit values, ONLY use the symbolic stants, unless you REALLY know what you're doing and are willing to deal with the consequences; you've been warned.

The various constants that are meant to be used by applications are all defined in the android.provider.Downloads class. Whenever possible, the constants should be used instead of the explicit ues.

Permissions

Content Provider

The primary interface that applications use to communicate with the download manager is exposed as a ContentProvider.

URIs

The URIs for the Content Provider are:

Columns

The following columns are available:

Destination Values

Visibility Values

Control Values

Status Values

<> <>

Status Helper Functions

Intents

The download manager sends an intent broadcast Downloads.DOWNLOAD_COMPLETED_ACTION when a download completes.

The download manager sends an intent broadcast Downloads.NOTIFICATION_CLICKED_ACTION when the user clicks a download notification that doesn't match a download that can be opened (e.g. because notification is for several downloads at a time, or because it's for an incomplete download, or because it's for a private download).

The download manager starts an activity with Intent.ACTION_VIEW when the user clicks a download notification that matches a download that can be opened.

Differences between 1.0 and Cupcake

WARNING These are the differences for apps built from source in the Android source tree, i.e. they don't cover any of the cases of binary incompatibility.

• Cursors returned by the content provider are now read-only.
• SQL "where" statements are now verified and must follow a rigid syntax (the most visible aspect being that all parameters much be single-quoted).
• Columns and constants that were unused or ineffective are gone: METHOD, NO_SYSTEM_FILES, DESTINATION_DATA_CACHE, OTA_UPDATE.
• OTHER_UID and DESTINATION_CACHE_PARTITION require android.permission.ACCESS_DOWNLOAD_MANAGER_ADVANCED.
• The list of columns that can be queried and read is limited: _ID, APP_DATA, _DATA, MIMETYPE, CONTROL, STATUS, T_MODIFICATION, NOTIFICATION_PACKAGE, NOTIFICATION_CLASS, TOTAL_BYTES, CURRENT_BYTES, TITLE, DESCRIPTION.
• The list of columns that can be initialized by apps is limited: URI, APP_DATA, NO_INTEGRITY, FILENAME_HINT, MIMETYPE, DESTINATION, VISIBILITY, CONTROL, STATUS, LAST_MODIFICATION, NOTIFICATION_PACKAGE, NOTIFICATION_CLASS, NOTIFICATION_EXTRAS, COOKIE_DATA, USER_AGENT, REFERER, OTHER_UID, TITLE, DESCRIPTION.
• The list of columns that can be updated by apps is limited: APP_DATA, VISIBILITY, CONTROL, TITLE, DESCRIPTION.
• Downloads to the SD card default to have notifications that are visible after completion, internal downloads default to notifications that are always hidden.
• The constant FILENAME was renamed Downloads._DATA.
• Downloads can be paused and resumed by writing to the CONTROL column. Downloads.CONTROL_RUN (Default) makes the download go, Downloads.CONTROL_PAUSED pauses it.
• New column APP_DATA that is untouched by the download manager, used to store app-specific info about the downloads.
• Minor differences unlikely to affect applications:
  • The notification class/package must now match the UID.
  • The backdoor to see the entire provider (which was intended to implement UIs) is gone.
  • Private column names were removed from the public API.

Writing code that works on both the 1.0 and Cupcake versions of the download manager.

If you're not 100% sure that you need to be reading this chapter, don't read it.

Basic rule: don't use features that only exist in one of the two implementations (POST, downloads to /data...).

Also, don't use columns in 1.0 that are protected or hidden in Cupcake.

Unfortunately, that's not always entirely possible.

Areas of concern:

• Some columns were renamed. FILENAME became Downloads._DATA ("_data"), and ENTITY became APP_DATA ("entity").
  • The difference can be used to distinguish between 1.0 and Cupcake, though reflection.
  • The difference prevents from using any of the symbolic constants directly in source code: if the same binary wants to run on both 1.0 and Cupcake, it will have to hard-code the values of those stants or use reflection to get to them.
• URI column accessible in 1.0 but protected in Cupcake. Code that relies on being able to re-read its URI should be using APP_DATA in Cupcake, but that column doesn't exist as such in 1.0.
  • If the code detects that it's running on Cupcake, write URI to APP_DATA in addition to URI, and query and read from the appropriate column.
  • Since the underlying column for APP_DATA exists in both 1.0 and Cupcake even though it has different names, it can actually be used in both cases (see note above about renamed columns).
• Some of the error codes have been renumbered. STATUS_UNHANDLED_HTTP_CODE and STATUS_HTTP_DATA_ERROR were bumped up from 494 and 495 to 495 and 496.
• Backward compatibility is not guaranteed: the download manager APIs weren't meant to be backward compatible yet. As such it's impossible to guarantee that code that uses the Cupcake download manager l be binary-compatible with future versions.
  • I intend to eventually change the column name for APP_DATA to "app_data". Because of that, code should use reflection to get to that name instead of hard-coding "entity", so that it always gets the ht value for the string.
  • I intend to refine the handling of filenames and content URIs, exposing separate columns for situations where a download can be accessed both as a file and through a content URI (e.g. stuff that is ognized by the media scanner). Unfortunately at this point this feature isn't clear in my mind. I'd recommend using reflection to look for the Downloads._DATA column, and if it isn't there to look for the ENAME column (which has the advantage of also dealing with the difference between 1.0 and Cupcake).
  • I intend to renumber the error codes, especially those in the 4xx range, and especially those below 490 (which overlap with standard HTTP error codes but will probably be separated). Reflection would rove the probability to getting to them in the future. Unfortunately, the names of the constants are likely to change in the process, in order to disambiguate codes coming from HTTP from those generated ally. I might try to stick to the following pattern: where a constant is currently named STATUS_XXX, its locally-generated version in the future might be named STATUS_LOCAL_XXX while the current constant e might disappear. Using reflection to try to get to the possible new name instead of using the old name might improve the probability of compatibility in the future. That being said, it is critically ortant to properly handle the full ranges or error codes, especially the 4xx range, as "expected" errors, and it is far preferable to not try to distinguish between those codes at all: use the functions nloads.isError and Downloads.isClientError to easily recognize those entire ranges. In order of probability, the 1xx range is the second most likely to be affected.

Functional Specification

TODO

Release notes for Cupcake

• HTTP codes 301, 302, 303 and 307 (redirects) are now supported
• HTTP code 503 is now handled, with support for retry-after in delay-seconds
• Downloads that were cleanly interrupted are now resumed instead of failing
• Applications can now pause their downloads
• Retry delays are now randomized
• Connectivity is now checked on all interfaces
• Downloads with invalid characters in file name can now be saved
• Various security fixes
• Minor API changes (see API differences between 1.0 and Cupcake)

Product Architecture

TODO To be completed

The download manager is built primarily around a ContentProvider and a Service. The ContentProvider part is the front end, i.e. applications communicate with the download manager through the provider. The vice part is the back end, which contains the actual download logic, running as a background process.

As a first approach, the provider is essentially a canonical provider backed by a SQLite3 database. The biggest difference between the download provider and a "plain" provider is that the download provider ressively validates its inputs, for security reasons.

The service is a background process that performs the actual downloads as requested by the applications. The service doesn't offer any bindable interface, the service object exists strictly so that the tem knows how to prioritize the download manager's process against other processes when memory is tight.

Communication between the provider and the service is done through public Android APIs, so that the two components are deeply decoupled (they could in fact run in different processes). The download manager rts the service whenever a change is made that can start or restart a download. The service observes and queries the provider for changes, and updates the provider as the download progresses.

There are a few secondary classes that provide auxiliary functions.

A Receiver listens to several broadcasts. Is receives some system broadcasts when the system boots (so that the download manager can resume downloads that were interrupted when the system was turned off) or n the connectivity changes (so that the download manager can restart downloads that were interrupted when connectivity was lost). It also receives intents when the user selects a download notification.

Finally, some helper classes provide support functions.

Most significantly, DownloadThread is responsible for performing the actual downloads as part of the DownloadService's functionality, while UpdateThread is responsible for updating the DownloadInfo whenever DownloadProvider data changes.

DownloadInfo and DownloadFileInfo hold pure data structures, with little or no actual logic.

Lexer takes care of validating the snippets of SQL data that are received from applications, to avoid cases of SQL injection.

The service keeps a copy of the provider data in RAM, so that it can determine what changed in the provider when it receives a change notification through the ContentObserver. That data is kept in an array DownloadInfo structures.

Each DownloadThread performs the operations for a single download (or, more precisely, for a single HTTP transaction). Each DownloadThread is backed by a DownloadInfo object. which is in fact on of the ects kept by the DownloadService. While a download is running, the DownloadService can influence the download by writing data into the relevant DownloadInfo object, and the DownloadThread checks that object appropriate times during the download.

Because the DownloadService updates the DownloadInfo objects asynchronously from everything else (it uses a dedicated thread for that purpose), a lot of care has to be taken when upgrading the DownloadInfo ect. In fact, only the DownloadService's updateThread function can update that object, and it should be considered read-only to every other bit of code. Even within the updateThread function, some care must taken to ensure that the DownloadInfos don't get out of sync with the provider.

On the other hand, the DownloadService's updateThread function does upgrade the DownloadInfo when it spawns new DownloadThreads (and in a few more circumstances), and when it does that it must also update DownloadProvider (or risk seeing its DownloadInfo data get overwritten).

Because of all that, all code outside of the DowloadService's updateThread must neither read from DownloadProvider nor write to the DownloadInfo objects under any circumstances. The DownloadService's ateFunction is responsible for copying data from the DownloadProvider to the DownloadInfo objects, and must ensure that the DownloadProvider remains in sync with the information it writes into the nloadInfo objects.

Implementation Documentation

TODO To be completed

Database formats

Android 1.0, format version 31, table downloads:

Cupcake, format version 100: Same as format version 31.

Future Directions

WARNING This section is for informative purposes only.

API

• Expose Download Manager to 3rd party apps - security, robustness .
• Validate application-provided user agent, cookies, etc... to protect against e.g. header injection.
• Allow trust-and-verify MIME type.
• Extract response string from HTTP responses, extract entity from failed responses
• If app fails to be notified, retry later - don't give up because of a single failure.
• Support data: URIs .
• Download files to app-provided content provider .
• Don't pass HTTP codes above about 490 to the initiating app (figure out what the threshold should be).
• Allow initiating app to specify that it wants wifi-only downloads .
• Provide SQL "where" clauses for the different categories of status codes, matching isStatusXXX().
• There has to be a mechanism by which old downloads are automatically purged from /cache if there's not enough space .
• Clicking the notification for a completed download should go through the initiating app instead of directly opening the file (but what about fire and forget?).
• Clean up the difference between pending_network (waiting for network) and running_paused (user paused the download).
• Allow any app to access the downloaded file (but no other column) of user-downloaded files .
• Provider should return more errors and throw fewer exceptions if possible.
• Add option to auto-dismiss notifications for completed downloads after a given time .
• Delete filename in case of failure - better handle the separation between filename and content URI.
• Allow the initiating application to specify that it wants to restart downloads from scratch if they're interrupted and can't be resumed .
• Save images directly from browser without re-downloading data .
• Give applications the ability to explicitly specify the full target filename (not just a hint).
• Give applications the ability to download multiple files into multiple set locations as if they were a single "package".
• Give applications the ability to download files only if they haven't been already downloaded.
• Give applications the ability to download files that have already been downloaded only if there's a newer version.
• Set-cookie in the response.
• basic auth .
• app-provided prompts for basic auth, ssl, redirects.
• File should be hidden from initiating application when DRM.
• Delay writing of app-visible filename column until file visible (split user-visible vs private files?).
• Separate locally-generated status codes from standard HTTP codes.
• Allow app to specify it doesn't want to resume downloads across reboots (because they might require additional work).
• Allow app to prioritize user-initiated downloads.
• Allow app to specify length of download (full trust, or trust-and-verify).
• Support POST.
• Support PUT.
• Support plugins for additional protocols and download descriptors.
• Rename columns to have an appropriate COLUMN_ prefix.

HTTP Handling

• Fail download immediately on authoritative unresolved hostnames .
• The download manager should use the browser's user-agent by default.
• Redirect with HTTP Refresh headers (download current and target content with non-zero refresh).
• Handle content-encoding header.
• Handle transfer-encoding header.
• Find other ways to validate interrupted downloads (signature, last-mod/if-modified-since) .
• Make downloads time out in case of long time with no activity.

File names

• Protect against situations where there's already a "downloads" directory on SD card.
• Deal with filenames with invalid characters.
• Refine the logic that builds filenames to better match desktop browsers - drop the query string.
• URI-decode filenames generated from URIs.
• Better deal with filenames that end in '.'.
• Deal with URIs that end in '/' or '?'.
• Investigate how to better deal with filenames that have multiple extensions.

UI

• Prompt for redirects across domains or cancel.
• Prompt for redirects from SSL or cancel.
• Prompt for basic auth or cancel.
• Prompt for SSL with untrusted/invalid/expired certificates or cancel.
• Reduce number of icons in the title bar, possibly as low as 1 (animated if there are ongoing downloads, fixed if all downloads have completed) .
• UI to cancel visible downloads.
• UI to pause visible downloads.
• Reorder downloads.
• View SSL certificates.
• Indicate secure downloads.

Handling of specific MIME types

• Parse HTML for redirects with meta tag.
• Handle charsets and transcoding of text files.
• Deal with multiparts.
• Support OMA downloads with DD and data in same multipart, i.e. combined delivery.
• Assume application/octet-stream for http responses with no mime type.
• Download anything if an app supports application/octet-stream.
• Download any text/* if an application supports text/plain.
• Should the media scanner be invoked on DRM downloads?
• Refresh header with timer should be followed if content is not downloadable.
• Support OMA downloads.
• Support MIDP-OTA downloads.
• Support Sprint MCD downloads.
• Sniff content when receiving MIME-types known to be inaccurately sent by misconfigured servers.

Management of downloads based on environment

• If the device routinely connects over wifi, delay non-interactive downloads by a certain amount of time in case wifi becomes available
• Turn on wifi if possible
• Fall back to cell when wifi is available but download doesn't proceed
• Be smarter about spurious losses (i.e. exceptions while network appears up) when the active network changes (e.g. turn on wifi while downloading over cell).
• Investigate the use of wifi locks, especially when performing non-resumable downloads.
• Poll network state (and maybe even try to connect) even without notifications from the connectivity manager (in case the notifications go AWOL or get inconsistent) .
• Pause when conditions degrade .
• Pause when roaming.
• Throttle or pause when user is active.
• Pause on slow networks (2G).
• Pause when battery is low.
• Throttle to not overwhelm the link.
• Pause when sync is active.
• Deal with situations where the active connection is down but there's another connection available
• Download files at night when the user is not explicitly waiting.

Management of simultaneous downloads

• Pipeline requests on limited number of sockets, run downloads sequentially .
• Manage bandwidth to not starve foreground tasks.
• Run unsized downloads on their own (on a per-filesystem basis) to avoid failing multiple of them because of a full filesystem .

Minor functional changes, edge cases

• The database could be somewhat checked when it's opened.
• [DownloadProvider.java] When upgrading the database, the numbering of ids should restart where it left off.
• [DownloadProvider.java] Handle errors when failing to start the service.
• [DownloadProvider.java] Explicitly populate all database columns that have documented default values, investigate whether that can be done at the SQL level.
• [DownloadProvider.java] It's possible that the last update time should be updated by the Sevice logic, not by the content provider.
• When relevant, combine logged messages on fewer lines.
• [DownloadService.java] Trim the database in the provider, not in the service. Notify application when trimming. Investigate why the row count seems off by one. Enforce on an ongoing basis.
• [DownloadThread.java] When download is restarted and MIME type wasn't provided by app, don't re-use MIME type.
• [DownloadThread.java] Deal with mistmatched file data sizes (between database and filesystem) when resuming a download, or with missing files that should be here.
• [DownloadThread.java] Validate that the response content-length can be properly parsed (i.e. presence of a string doesn't guarantee correctness).
• [DownloadThread.java] Be finer-grained with the way file permissions are managed in /cache - don't 0644 everything .
• Truncate files before deleting them, in case they're still open cross-process.
• Restart from scratch downloads that had very little progress .
• Deal with situations where /data is full as it prevents the database from growing (DoS) .
• Wait until file scanned to notify that download is completed.
• Missing some detailed logging about IOExceptions.
• Allow to disable LOGD debugging independently from system setting.
• Pulling the battery during a download corrupts files (lots of zeros written) .
• Should keep a bit of "emergency" database storage to initiate the download of an OTA update, in a file that is pre-allocated whenever possible (how to know it's an OTA update?).
• Figure out how to hook up into dumpsys and event log.
• Use the event log to log download progress.
• Use /cache to stage downloads that eventually go to the sd card, to avoid having sd files open too long in case the use pulls the card and to avoid partial files for too long.
• Maintain per-application usage statistics.
• There might be corner cases where the notifications are slightly off because different notifications might be using PendingIntents that can't be distinguished (differing only by their extras).

Architecture and Implementation

• The content:// Uri of individual downloads could be cached instead of being re-built whenever it's needed.
• [DownloadProvider.java] Solidify extraction of id from URI
• [DownloadProvider.java] Use ContentURIs.parseId(uri) to extra the id from various functions.
• [DownloadProvider.java] Use StringBuilder to build the various queries.
• [DownloadService.java] Cache interface to the media scanner service more aggressively.
• [DownloadService.java] Investigate why unbinding from the media scanner service sometimes throws an exception
• [DownloadService.java] Handle exceptions in the service's UpdateThread - mark that there's no thread left.
• [DownloadService.java] At the end of UpdateThread, closing the cursor should be done even if there's an exception. Also log the exception, as we'd be in an inconsistent state.
• [DownloadProvider.java] Investigate whether the download provider should aggressively cache the result of getContext() and getContext().getContentResolver()
• Document the database columns that are most likely to stay unchanged throughout versions, to increase the chance being able to perform downgrades.
• [DownloadService.java] Sanity-check the ordering of the local cache when adding/removing rows.
• [DownloadService.java] Factor the code that checks for DRM types into a separate function.
• [DownloadService.java] Factor the code that notifies applications into a separate function (codepath with early 406 failure)
• [DownloadService.java] Check for errors when spawning download threads.
• [DownloadService.java] Potential race condition when a download completes at the same time as it gets deleted through the content provider - see deleteDownload().
• [DownloadService.java] Catch all exceptions in scanFile - don't trust a remote process to the point where we'd let it crash us.
• [DownloadService.java] Limit number of attempts to scan a file.
• [DownloadService.java] Keep less data in RAM, especially about completed downloads. Investigating cutting unused columns if necessary
• [DownloadThread.java] Don't let exceptions out of run() - that'd kill the service, which'd accomplish no good.
• [DownloadThread.java] Keep track of content-length responses in a long, not in a string that we keep parsing .
• [DownloadThread.java] Use variable-size buffer to avoid thousands of operations on large downloads
• [Helpers.java] Deal with atomicity of checking/creating file.
• [Helpers.java] Handle differences between content-location separators and filesystem separators.
• Optimize database queries: use projections to reduce number of columns and get constant column numbers.
• Index last-mod date in DB, because of ordered searches. Investigate whether other columns need to be indexed (Hidden?)
• Deal with the fact that sqlite INTEGER matches java long (63-bit) .
• Use a single HTTP client for the entire download manager.
• Could use fewer alarms - currently setting new alarm each time database updated .
• Obsolete columns should be removed from the database .
• Assign relevant names to threads.
• Investigate and handle the different subclasses of IOException appropriately .
• There's potentially a race condition around read-modify-write cycles in the database, between the Service's updateFromProvider thread and the worker threads (and possibly more). Those should be hronized appropriately, and the provider should be hardened to prevent asynchronous changes to sensitive data (or to synchronize when there's no other way, though I'd rather avoid that) .
• Temporary file leaks when downloads are deleted while the service isn't running .
• Increase priority of updaterThread while in the critical section (to avoid issues of priority inheritance with the main thread).
• Explicitly specify which interface to use for a given download (to get better sync with the connection manager).
• Cancel the requests on more kinds of errors instead of trusting the garbage collector.
• Issues with the fact that parseInt can throw exceptions on invalid server headers.

Code style, refactoring

• Fix lint warnings
• Make sure that comments fit in 80 columns to match style guide
• Unify code style when dealing with lines longer than 100 characters
• [Constants.java] constants should be organized by logical groups to improve readability.
• Use fewer internal classes (Helpers, Constants...) .

Browser changes

• Move download UI outside of browser, so that browser doesn't need to access the provider.
• Make browser sniff zips and jars to see if they're apks.
• Live handoff of browser-initiated downloads (download in browser, browser update download UI, hand over to download manager on retry).