Google will now Require OEMs to Prompt before Silently Uninstalling Applications
With the release of each new version of Android comes a whole host of changes. For instance, Android 7.1 Nougat introduced application shortcuts, round icon support, and keyboard image insertion. But there are also many subtle changes made to the operating system that only developers and OEMs really pay attention to. For OEMs, they also have to pay attention to any updates made to the Android Compatibility Definition Document (CDD). This document outlines the hardware and software requirements necessary for devices to meet the compatibility requirements with the latest version of Android. If a device fails to meet these requirements, then they may fail Google’s Compatibility Test Suite – resulting in a loss of access to Google’s suite of applications.
When the CDD for Android 7.1 Nougat released, it received little fanfare compared to the interest generated by 7.0’s document. No surprises there, though, as 7.1 is only a minor upgrade to Android so there isn’t much that was expected to change. But that doesn’t mean there aren’t any changes worth noting. Today, AndroidPolice discovered some language in the updated document stating that OEMs will be forbidden from modifying the notification behavior introduced in Android Nougat – direct replies and notification bundling. Through some digging of our own, we discovered the introduction of some more interesting language added to the document.
Section 4 of the document, titled “Application Packaging Compatibility”, defines how device implementations must manage APK installations. At the bottom of this section, there is a new paragraph that states that system-installed applications can no longer uninstall packages without prompting the user.
Device implementations MUST NOT allow apps other than the current “installer of record” for the package to silently uninstall the app without any prompt, as documented in the SDK for the DELETE_PACKAGE permission. The only exceptions are the system package verifier app handling PACKAGE_NEEDS_VERIFICATION intent and the storage manager app handling
What this is essentially saying is that only the application that was responsible for installing a package in the first place will be able to uninstall that package. For example, if you install an application through the Google Play Store, it retains the ability to uninstall that package. The only exceptions to this rule is when the system package manager is verifying an application and when you are using the new Android Nougat storage manager feature.
In order to delete a package that is not considered the “installer of record”, an application needs to have the DELETE_PACKAGE permission. Fortunately, this permission is restricted to system applications, so it’s not as if you can be tricked into granting an application this dangerous permission (unless you grant a malicious application root access, but then all bets are off). The Android permission manifest documentation notes that whenever a system application requests to delete another package, user confirmation will be requested. However, even though this language was introduced in the developer reference page for Android 7.0, it’s only with Android 7.1 that Google is making this user prompt a requirement.
We haven’t heard of any examples of OEMs secretly maliciously uninstalling your applications, because it would undoubtedly be a big scandal for that to occur. We found it interesting to see this requirement and language introduced now, when this dangerous permission has existed for many API levels. What’s most likely happening is that Google is cracking down on third-party cleaner applications that are installed at the system level of certain smartphones, and is instead pushing OEMs to adopt their new Storage Manager feature.