remove: android.permission.REQUEST_INSTALL_PACKAGES from plugins.xml

[lincolnthree]

Expected Behaviour

Google is now requiring additional verification for the REQUEST_INSTALL_PACKAGES permission, and will start rejecting apps that have not submitted a valid use.

Developers should have control over which permissions are enabled or not.

Actual Behaviour

REQUEST_INSTALL_PACKAGES is forcibly activated in plugins.xml

Reproduce Scenario (including but not limited to)

[ipopa]

Hello, we had the same problem, you must to fork the plugin, remove the permission and delete the possibility to install/uninstall an apk with this plugin.

[lincolnthree]

Yeah, and I think there is more code that needs to be removed in the class, too. Don't forget the other functions, and imports.

[arnotixe]

+1 it seems possible to "just remove the setting from the plugin's config.xml and rebuild" but I think this feature is quite optional so it should be … optional somehow

[ryaa]

Here is the capacitor version of this plugin - see https://github.com/capacitor-community/file-opener Note that this is for Android only at this moment.

[ryaa]

The support for iOS has been added. Can anyone, who uses capacitor, install from the github using the below command to give it a try npm install capacitor-community/file-opener#chore/latest-version-with-dist-directory

[NGizdov]

Guys, do we expect this PR to be accepted and merged, because it is crucial for us, as the end date is quite close

[louisfelix]

As a temporary fix, until this PR is accepted, here is what we did to mitigate the emergency:

1. Fork the plugin and remove the REQUEST_INSTALL_PACKAGES permission (you can use our fork here)
2. In our project's package.json dev dependencies, replace "cordova-plugin-file-opener2": "^3.0.5" by "cordova-plugin-file-opener2": "git+https://github.com/CitadelApp/cordova-plugin-file-opener2.git"
3. Re-package everything and send to Google Play review: it has been accepted and the issue has been removed in Google Play Console -> Policy -> App concent

[benazir46]

@louisfelix it didn't work for me. I simply removed the permissions manually in vscode and it worked!

[xtoussaint-estel]

In my config.xml

<edit-config file="app/src/main/AndroidManifest.xml" target="/manifest" mode="remove">
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" />
</edit-config>

😋

Edit : I don't know why but my solution doesn't work anymore. The requested change is applied BEFORE the uses-permission is inserted in the AndroidManifest so it is still there 😕 I use the @adammaus script which works every time in my case.

[adammaus]

@xtoussaint-estel That didn't work for me but your answer led me to a script and hook in config.xml. Thank you!

I adapted a few stack overflow answers for the JS file below. Definitely test these out beforehand!

config.xml

<platform name="android">
    <hook src="scripts/remove-android-permissions.js" type="after_prepare" />

scripts/remove-android-permissions.js

#!/usr/bin/env node
//
// This hook removes specific permissions from the AndroidManifest.xml
// The AndroidManifest is re-generated during the prepare stage,
// so this must be run on the "after_prepare" hook.
//

// Configure the permissions to be forcefully removed.
// NOTE: These permissions will be removed regardless of how many plugins
//       require the permission. You can check the permission is only required
//       by the plugin you *think* needs it, by looking at the "count" shown in
//       your /plugins/android.json file.
//       If the count is more than 1, you should search through
//       the /plugins/<plugin-name>/plugin.xml files for <uses-permission> tags.

var permissionsToRemove = [ "REQUEST_INSTALL_PACKAGES" ];

var fs = require('fs');
var path = require('path');
var rootdir = process.argv[2];
var manifestFile = "platforms/android/app/src/main/AndroidManifest.xml";

fs.readFile( manifestFile, "utf8", function( err, data )
{
    if (err)
        return console.log( err );

    var result = data;
    for (var i=0; i<permissionsToRemove.length; i++)
        result = result.replace( "<uses-permission android:name=\"android.permission." + permissionsToRemove[i] + "\" />", "" );

    fs.writeFile( manifestFile, result, "utf8", function( err )
    {
        if (err)
            return console.log( err );
    } );
} );

For the bulk of the script https://stackoverflow.com/a/42182147

For the manifestFile path: https://stackoverflow.com/a/55563097

[zawmn]

Is there any update on this issue? Or is there any alternative plugin like this?

[zdayar]

Guys, do we expect this PR to be accepted and merged, because it is crucial for us, as the end date is quite close

Have you found a solution yet? Having the same issue. Thx!

[lincolnthree]

Just pull from the new repository/branch with the updated code directly in your package.json:

"cordova-plugin-file-opener2": "repo/cordova-plugin-file-opener2#branchName"

[ccerrillo]

In my config.xml <edit-config file="app/src/main/AndroidManifest.xml" target="/manifest" mode="remove"> <uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" /> </edit-config> 😋

this solved the issue thanks!!!

[mread1208]

@ccerrillo what version of cordova are you using? I'm on Cordova 11.0.0 and this does not appear to be removing this setting from our AndroidManifest.xml file. I don't see mode="remove" listed as an option in the Cordova docs: https://cordova.apache.org/docs/en/latest/plugin_ref/spec.html#edit-config

[mread1208]

@xtoussaint-estel That didn't work for me but your answer led me to a script and hook in config.xml. Thank you!

I adapted a few stack overflow answers for the JS file below. Definitely test these out beforehand!

config.xml

<platform name="android">
    <hook src="scripts/remove-android-permissions.js" type="after_prepare" />

scripts/remove-android-permissions.js

#!/usr/bin/env node
//
// This hook removes specific permissions from the AndroidManifest.xml
// The AndroidManifest is re-generated during the prepare stage,
// so this must be run on the "after_prepare" hook.
//

// Configure the permissions to be forcefully removed.
// NOTE: These permissions will be removed regardless of how many plugins
//       require the permission. You can check the permission is only required
//       by the plugin you *think* needs it, by looking at the "count" shown in
//       your /plugins/android.json file.
//       If the count is more than 1, you should search through
//       the /plugins/<plugin-name>/plugin.xml files for <uses-permission> tags.

var permissionsToRemove = [ "REQUEST_INSTALL_PACKAGES" ];

var fs = require('fs');
var path = require('path');
var rootdir = process.argv[2];
var manifestFile = "platforms/android/app/src/main/AndroidManifest.xml";

fs.readFile( manifestFile, "utf8", function( err, data )
{
    if (err)
        return console.log( err );

    var result = data;
    for (var i=0; i<permissionsToRemove.length; i++)
        result = result.replace( "<uses-permission android:name=\"android.permission." + permissionsToRemove[i] + "\" />", "" );

    fs.writeFile( manifestFile, result, "utf8", function( err )
    {
        if (err)
            return console.log( err );
    } );
} );

For the bulk of the script https://stackoverflow.com/a/42182147

For the manifestFile path: https://stackoverflow.com/a/55563097

@adammaus the remove permissions hook you referred to worked for me! Thanks!

[ccerrillo]

Hi, Sorry I'm using Capacitor

El jue., 6 oct. 2022 21:34, Michael Read @.***> escribió:

@ccerrillo https://github.com/ccerrillo what version of cordova are you using? I'm on Cordova 11.0.0 and this does not appear to be removing this setting from our AndroidManifest.xml file. I don't see mode="remove" listed as an option in the Cordova docs: https://cordova.apache.org/docs/en/latest/plugin_ref/spec.html#edit-config

— Reply to this email directly, view it on GitHub https://github.com/pwlin/cordova-plugin-file-opener2/issues/329#issuecomment-1270586936, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACU66Q42WHOGI74HVKPU2DWB4STNANCNFSM54LYJKYQ . You are receiving this because you were mentioned.Message ID: @.***>

[adrenaline15]

For the capacitor-users, which are using this plugin and can not alter the config.xml:

Can you try to add the following line above the <application>-tag in your apps AndroidManifest.xml:

<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" tools:node="remove"/>

[pmcquay]

another affected by this issue, would really like to use this without hacks to adjust it.

[patrikkelemen1]

In my config.xml <edit-config file="app/src/main/AndroidManifest.xml" target="/manifest" mode="remove"> <uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" /> </edit-config> 😋

thank you! the best solution for now is to update config.xml :)

[fabichacon]

Has anyone tried to complete the declaration in the Google Play console? Our app is already in production with the REQUEST_INSTALL_PACKAGES permission. I'm afraid of being penalized until I can publish a new version.

[ccerrillo]

Yes, and the request was denied, i compiled a new version without that permission

El mié., 12 oct. 2022 17:26, Fabian Chacon @.***> escribió:

Has anyone tried to complete the declaration in the Google Play console? Our app is already in production with the REQUEST_INSTALL_PACKAGES permission. I'm afraid of being penalized until I can publish a new version.

— Reply to this email directly, view it on GitHub https://github.com/pwlin/cordova-plugin-file-opener2/issues/329#issuecomment-1276363561, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACU66XMZ5D3CJQXSODCO6LWC3KDXANCNFSM54LYJKYQ . You are receiving this because you were mentioned.Message ID: @.***>

[fabichacon]

Yes, and the request was denied, i compiled a new version without that permission El mié., 12 oct. 2022 17:26, Fabian Chacon @.> escribió: … Has anyone tried to complete the declaration in the Google Play console? Our app is already in production with the REQUEST_INSTALL_PACKAGES permission. I'm afraid of being penalized until I can publish a new version. — Reply to this email directly, view it on GitHub <#329 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACU66XMZ5D3CJQXSODCO6LWC3KDXANCNFSM54LYJKYQ . You are receiving this because you were mentioned.Message ID: @.>

@ccerrillo Thanks for the feedback! So, I will compile a new version without that permission and try again.

[dmitrikarpov]

The support for iOS has been added. Can anyone, who uses capacitor, install from the github using the below command to give it a try npm install capacitor-community/file-opener#chore/latest-version-with-dist-directory

Tried on iOS and got this error: [log] - {"code":"UNIMPLEMENTED"}

[nathantaal]

@ccerrillo @fabichacon I compiled a new version but I cant submit it as it gets rejected immediately. Should I know just fill in the form to request the permission with the goal of getting rejected just so I can actually submit a new version..?

[ccerrillo]

Maybe the rejection is for another thing

El jue., 13 oct. 2022 8:21, Nathan @.***> escribió:

@ccerrillo https://github.com/ccerrillo @fabichacon https://github.com/fabichacon I compiled a new version but I cant submit it as it gets rejected immediately. Should I know just fill in the form to request the permission with the goal of getting rejected just so I can actually submit a new version..?

— Reply to this email directly, view it on GitHub https://github.com/pwlin/cordova-plugin-file-opener2/issues/329#issuecomment-1277086898, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACU66VYFFATVR7MZXOINN3WC6S6RANCNFSM54LYJKYQ . You are receiving this because you were mentioned.Message ID: @.***>

[nathantaal]

It was not. But manually uploading the APK did the trick, thanks anyway :)

[mread1208]

I'm in the same boat. Using the cordova hook mentioned above DID remove the permission from my AndroidManifest.xml file, but when I upload the latest version to Google Play, the app still get's rejected (~12 - 24 hours laster) for the same reason.

We've detected that your app manifest file contains the REQUEST_INSTALL_PACKAGES permission...

I unziped the production .aab file the I sent to Google, and have confirmed that the REQUEST_INSTALL_PACKAGES permission is not anywhere in the build. Is there possibly a secondary permission in here that would be causing this or is Google not scanning the app properly since our current production app has this permission? I sent an appeal to Google, but still waiting to hear back on that.

[nathantaal]

Ive opened the APK in Android Studio and verified the AndroidManifest.xml not containing the REQUEST_INSTALL_PACKAGES, but the update still got rejected. Also sent in an appeal to it. Fingers crossed and wait...

[fabichacon]

I'm in the same boat. Using the cordova hook mentioned above DID remove the permission from my AndroidManifest.xml file, but when I upload the latest version to Google Play, the app still get's rejected (~12 - 24 hours laster) for the same reason.

We've detected that your app manifest file contains the REQUEST_INSTALL_PACKAGES permission...

I unziped the production .aab file the I sent to Google, and have confirmed that the REQUEST_INSTALL_PACKAGES permission is not anywhere in the build. Is there possibly a secondary permission in here that would be causing this or is Google not scanning the app properly since our current production app has this permission? I sent an appeal to Google, but still waiting to hear back on that.

@mread1208 To avoid this I implemented @louisfelix workaround. Fork the plugin, remove permission and re-package. I'm waiting for Google's review. Anyway we need this PR urgently.

[mread1208]

I've actually done both, pulled in the forked plugin and have the cordova hook in there to remove it in the off chance it shows up. I also removed and re-added the android platform, but Google still rejected it yesterday. Hoping the appeal process works OR at least gives me more insight on the issue... maybe there's something we're missing still.

[fabichacon]

I've actually done both, pulled in the forked plugin and have the cordova hook in there to remove it in the off chance it shows up. I also removed and re-added the android platform, but Google still rejected it yesterday. Hoping the appeal process works OR at least gives me more insight on the issue... maybe there's something we're missing still.

Just in case, after that if you're using Android Studio try ctrl+shift+f and type REQUEST_INSTALL_PACKAGES. Select project from the top section. If you don't see the permission I think is an issue from Google's review.

[rowanloop]

I've actually done both, pulled in the forked plugin and have the cordova hook in there to remove it in the off chance it shows up. I also removed and re-added the android platform, but Google still rejected it yesterday. Hoping the appeal process works OR at least gives me more insight on the issue... maybe there's something we're missing still.

I'm having a similar issue with Google rejecting bundles that I have submitted, even though the permissions listed for the bundle in the Play Console no longer include the REQUEST_INSTALL_PACKAGES permission (that permission was listed in the bundle when I first started getting rejected for it). Fingers crossed it's a mistake on their part and it gets approved soon.

[Sundarvelu-NA]

Hi @rowanloop, I am also in the same situation as you. Does the Google play store respond to your appeal? I have also applied for the appeal and waiting for the reply. If you have any idea can you share it and I will also analyze this and once it is resolved I will let you know.

[fireonmac]

Hi @rowanloop, I am also in the same situation as you. Does the Google play store respond to your appeal? I have also applied for the appeal and waiting for the reply. If you have any idea can you share it and I will also analyze this and once it is resolved I will let you know.

I applied a week ago and still got no answer.

[tobiloeb]

@xtoussaint-estel That didn't work for me but your answer led me to a script and hook in config.xml. Thank you!

I adapted a few stack overflow answers for the JS file below. Definitely test these out beforehand!

config.xml

<platform name="android">
    <hook src="scripts/remove-android-permissions.js" type="after_prepare" />

scripts/remove-android-permissions.js

#!/usr/bin/env node
//
// This hook removes specific permissions from the AndroidManifest.xml
// The AndroidManifest is re-generated during the prepare stage,
// so this must be run on the "after_prepare" hook.
//

// Configure the permissions to be forcefully removed.
// NOTE: These permissions will be removed regardless of how many plugins
//       require the permission. You can check the permission is only required
//       by the plugin you *think* needs it, by looking at the "count" shown in
//       your /plugins/android.json file.
//       If the count is more than 1, you should search through
//       the /plugins/<plugin-name>/plugin.xml files for <uses-permission> tags.

var permissionsToRemove = [ "REQUEST_INSTALL_PACKAGES" ];

var fs = require('fs');
var path = require('path');
var rootdir = process.argv[2];
var manifestFile = "platforms/android/app/src/main/AndroidManifest.xml";

fs.readFile( manifestFile, "utf8", function( err, data )
{
    if (err)
        return console.log( err );

    var result = data;
    for (var i=0; i<permissionsToRemove.length; i++)
        result = result.replace( "<uses-permission android:name=\"android.permission." + permissionsToRemove[i] + "\" />", "" );

    fs.writeFile( manifestFile, result, "utf8", function( err )
    {
        if (err)
            return console.log( err );
    } );
} );

For the bulk of the script https://stackoverflow.com/a/42182147

For the manifestFile path: https://stackoverflow.com/a/55563097

Thanks for this great idea. I had to used capacitor hook in package.json: https://capacitorjs.com/docs/cli/hooks "capacitor:sync:after" and not cordova hook in context.xml.

And in my case the permission was not added to the androidManifest in app/src/main but in /capacitor-cordova-android-plugins/src/main/AndroidManifest.xml

May this helps someone else. :)

[chiraganand]

I've actually done both, pulled in the forked plugin and have the cordova hook in there to remove it in the off chance it shows up. I also removed and re-added the android platform, but Google still rejected it yesterday. Hoping the appeal process works OR at least gives me more insight on the issue... maybe there's something we're missing still.

I'm having a similar issue with Google rejecting bundles that I have submitted, even though the permissions listed for the bundle in the Play Console no longer include the REQUEST_INSTALL_PACKAGES permission (that permission was listed in the bundle when I first started getting rejected for it). Fingers crossed it's a mistake on their part and it gets approved soon.

I had forked the repo, removed the permissions line in a new branch (remove_install_packages_permission) and updated the package.json like:

"cordova-plugin-file-opener2": "github:<username>/cordova-plugin-file-opener2#remove_install_packages_permission"

After doing ionic capacitor build android the line was removed from AndroidManifest.xml. It worked for me. Uploaded on Play Store and it wasn't rejected, it has been more than a month IIRC.

[nathantaal]

No reply to the appeal yet...

[Sundarvelu-NA]

Play console seems like will reject the latest clean build if you contain a build with this permission usage in other tracks (internal, alpha, etc). The REQUEST_INSTALL_PACKAGES detection may be referring to existing builds in other tracks instead of the latest build. The review feedback message is confusing and not helpful.

try these:

1. In Play console (your affected app), click App Content under Policy
2. Look for Sensitive permissions and APIs and click Start.
3. Select APKs and bundles, the list will show you the build and track that contain sensitive permission/API.
4. Navigate to the affected track, create a new release without upload any apk/bundle (or upload a clean build to replace the existing one), give a Release name, and submit it to review.
5. Navigate to Publishing overview and check whether the review is pending to submit, if any, send the review.

[marcoagsa]

I have the same problem ! Every time that i do new build of the App, this plugin add this permission in the file "/android/capacitor-cordova-android-plugins/src/main/AndroidManifest.xml".

hat i did has build a new version and in the android studio a do a search for "REQUEST_INSTALL_PACKAGES" and delete the permission.

Google already aproved this version and I have already publish it

I hope we have a fix for this in the future ! because it's annoying to have to do this work around every time

[fireonmac]

Play console seems like will reject the latest clean build if you contain a build with this permission usage in other tracks (internal, alpha, etc). The REQUEST_INSTALL_PACKAGES detection may be referring to existing builds in other tracks instead of the latest build. The review feedback message is confusing and not helpful.

try these:

1. In Play console (your affected app), click App Content under Policy
2. Look for Sensitive permissions and APIs and click Start.
3. Select APKs and bundles, the list will show you the build and track that contain sensitive permission/API.
4. Navigate to the affected track, create a new release without upload any apk/bundle (or upload a clean build to replace the existing one), give a Release name, and submit it to review.
5. Navigate to Publishing overview and check whether the review is pending to submit, if any, send the review.

Following your instructions I found the problem in production, open testing and closed testing tracks. Should I replace all the bundles including production one with the clean build at the same time? It's quite dangerous that I don't want to update the production track directly. I already tried to update open and closed testing bundles without touching production one but got rejected with the same permission reply. Three weeks passed after I sent a first appeal and still got no answer from Google yet.

[Oct 27] Just now I tried to update all tracks including production one and got rejected again.

[nathantaal]

I have the same problem ! Every time that i do new build of the App, this plugin add this permission in the file "/android/capacitor-cordova-android-plugins/src/main/AndroidManifest.xml".

hat i did has build a new version and in the android studio a do a search for "REQUEST_INSTALL_PACKAGES" and delete the permission.

Google already aproved this version and I have already publish it

I hope we have a fix for this in the future ! because it's annoying to have to do this work around every time

You DON'T have to do this.. Actually, you should do this. Its not a problem that the permission ends up in the capacitor-cordova-android-plugins AndroidManifest file. AndroidManifest uses merge strategies, meaning all AndroidManifest.xml in the AndroidManifest located in /android/app/src/main. In that file, you are the boss, with tools:node='remove' you can explicitlty tell Android to remove a permission if it ends up merged in your AndroidManifest

1. open 'android/app/src/main/AndroidManifest.xml'
2. Add the following 'permission'

`

<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" tools:node="remove" />

`

3. Build app -> no more REQUEST_INSTALL_PACKAGES in the AndroidManifest that you submit

[marcoagsa]

@nathantaal thanks for the help, but this solution do not work in my case!

I don't know why but every time a run the build command it adds the permission in the file "android/capacitor-cordova-android-plugins/src/main/AndroidManifest.xml".

I delete this file but every time e creats a new one the permission is there.

In my case, wen i make the new build ignores this option "tools:node="remove" "

[tobiloeb]

@nathantaal thanks for the help, but this solution do not work in my case!

I don't know why but every time a run the build command it adds the permission in the file "android/capacitor-cordova-ä > android-plugins/src/main/AndroidManifest.xml".

I delete this file but every time e creats a new one the permission is there. In my case, wen i make the new build ignores this option "tools:node="remove" "

As i wrote, you need to change the script to delete the permission from AndroidManifest.xml in capacitor-cordova-android-plugins folder. In my case I had to change the hook. Take a look at my post few days ago. :)

[richardkshergold]

I'm very confused. Our app update was rejected this week because of this issue.

I have removed the Cordova File Opener 2 plugin from the app and replaced it with the Capacitor-Community file-opener plugin.

We use AppFlow for our builds so I have pushed my changes to AppFlow and submitted the build to the PlayStore for Closed Testing. It has been rejected again with the same error. If (on the Google Play Console) I look at the App Bundle Explorer I see that previous builds of the app contained 33 permissions and amongst those was REQUEST_INSTALL_PACKAGES.

My new build has 32 permissions and REQUEST_INSTALL_PACKAGES is not listed.

But this build has been rejected for the same reason. Some comments in the thread have implied that this rejection is because of existing builds in the Closed Testing track (and the Production track) having this permission in. If this is the case how can I ever get an update to my app reviewed successfully. Does anyone have any advice?

[richardkshergold]

@fireonmac seems like you might be in the same position as us - have you got anywhere with this?

[fireonmac]

@fireonmac seems like you might be in the same position as us - have you got anywhere with this?

Check the rollout percentage in your review. If it's less than 100%, the previous release will not be replaced.

[richardkshergold]

@fireonmac not sure what you mean - where do I see that?

[Sundarvelu-NA]

@fireonmac seems like you might be in the same position as us - have you got anywhere with this?

Hi @fireonmac I was in the same situation. try this

In play console goto

1. App content > Sensitive permissions and APIs > Mange > View app bundles and APKs
2. Check the affected track and navigate to that, create a new release without upload any apk/bundle (or upload a clean build to replace the existing one), give a Release name, and submit it to review.
3. Navigate to Publishing overview and check whether the review is pending to submit, if any, send the review.

[richardkshergold]

Hi @Sundarvelu-NA I'm not sure what you mean here? Submit an empty dummy release for review (with no apk attached)?

Then what?