I have a working DPC app which is the Device Owner. I have tried this on two different Android 6.0.1 devices to rule out any device/manufacturer issues.

I used adb shell dpm set-device-owner com.example.dpc/.DpcDeviceAdminReceiver to make my DPC-app the owner. After making it the owner it can correctly grant COSU permissions to another app, which convinces me that this has worked. The command returned the response:

Success: Device owner set to package com.example.dpc
Active admin set to component {com.examplem.dpc/com.example.dpc.DpcDeviceAdminReceiver}

I want to use this app to install and upgrade another app, without user intervention (like Google Play does).

I am using the following proof-of-concept code:

void upgrade() {
    String apkFileName = "app_debug_2_0_0";

    PackageManager packageManger = getPackageManager();
    PackageInstaller packageInstaller = packageManger.getPackageInstaller();
    PackageInstaller.SessionParams params = new PackageInstaller.SessionParams(
            PackageInstaller.SessionParams.MODE_FULL_INSTALL);
    params.setAppPackageName("com.example.dummy");
    try {
        Log.e(TAG, "apkFileName " + apkFileName);

        InputStream ins = getResources().openRawResource(
                getResources().getIdentifier(apkFileName,
                        "raw", getPackageName()));

        int sessionId = packageInstaller.createSession(params);
        PackageInstaller.Session session = packageInstaller.openSession(sessionId);
        OutputStream out = session.openWrite(apkFileName, 0, -1);

        final int bufsize = 4096;
        byte[] bytes = new byte[bufsize];

        int len = 1; // any value > 0
        int tot = 0;
        while (len > 0) {
            len = ins.read(bytes, 0, bufsize);
            Log.d(TAG, "len: " + len);
            if (len < 1) break;
            out.write(bytes, 0, len);
            tot += len;
            Log.d(TAG, "copied: " + tot);
        }
        ins.close();

        session.fsync(out);
        out.close();

        Log.e(TAG, "about to commit ");
        session.commit(PendingIntent.getBroadcast(this, sessionId,
                new Intent("com.example.dpc.intent.UPDATE"), 0).getIntentSender());
        Log.e(TAG, "committed ");
    } catch (IOException e) {
        Log.e(TAG, "Error installing package " + apkFileName, e);
    }
}

With the code above, and variants, I receive an com.example.dpc.intent.UPDATE intent containing an error:

Intent { 
    act=com.example.dpc.intent.UPDATE 
    flg=0x10 
    cmp=com.example.dpc/.DpcUpdateReceiver 
    bqHint=4 
    (has extras) 
}
Bundle[
    android.content.pm.extra.STATUS=4, 
    android.content.pm.extra.PACKAGE_NAME=com.example.dummy,
    android.content.pm.extra.SESSION_ID=1055214117, 
    android.content.pm.extra.LEGACY_STATUS=-15, 
    android.content.pm.extra.STATUS_MESSAGE=INSTALL_FAILED_TEST_ONLY: installPackageLI
]

Logcat correctly reports the size of the apk which is being streamed into the session.openWrite stream.

I have already looked at:

• gradle version - I am using Android Studio and Gradle v3.0.0 and not an unstable version.
• the number of bytes copied from the res/raw apk file: 1418604 which is correct.
• the manifest - there is no testOnly attribute. https://developer.android.com/guide/topics/manifest/application-element.html#testOnly

What am I doing wrong?

The error was coming from the following Android 6.0.1 code in frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java.

if ((pkg.applicationInfo.flags&ApplicationInfo.FLAG_TEST_ONLY) != 0) {
    if ((installFlags & PackageManager.INSTALL_ALLOW_TEST) == 0) {
        res.setError(INSTALL_FAILED_TEST_ONLY, "installPackageLI");
        return;
    }
}

I checked the app which I was trying to install, and found that the FLAG_TEST_ONLY bit was set. Why is Android Studio 3.0.0 setting FLAG_TEST_ONLY on APKs?