App is not compliant with how REQUEST_INSTALL_PACKAGES permission is allowed

Question

I got this email from google play after updating my app build with flutter :

After a recent review, we found that your app is not compliant with one or more of our Developer Program Policies. See below for more information about your app's status and how to correct the issue.

Status: Approved with Issues - Further Action Required

We found issues with your app. You need to review and take action as described below so that your app is not impacted in the future.

Issue found: The use of permission is not directly related to the core purpose of the app. We found that your app is not compliant with how REQUEST_INSTALL_PACKAGES permission is allowed to be used. Specifically, the use of the permission is not directly related to the core purpose of the app.

Additionally, follow these steps to bring your app into compliance:

Please remove the use of REQUEST_INSTALL_PACKAGES permission from your app.

About the Request Install Packages Permission

Starting September 29, 2022, your app must be in compliance with the REQUEST_INSTALL_PACKAGES permission or your app may face additional enforcement actions. The REQUEST_INSTALL_PACKAGES permission allows an application to request the installation of app packages. To use this permission, your app’s core functionality must include:

Sending or receiving app packages, AND Enabling user-initiated installation of app packages. Permitted functionalities include any of the following:

Web browsing or search Communication services that support attachments File sharing, transfer, or management Enterprise device management The REQUEST_INSTALL_PACKAGES permission may not be used to perform self-updates, modifications, or the bundling of other APKs in the asset file unless for device management purposes. All updates or installing of packages must abide by Google Play’s Device and Network Abuse policy and must be initiated and driven by the user.

Google explain the steps for legalize it, but I don't have this permission in my manifest and I don't use functions to install files either, I don't know the real reason for this message and I'm afraid that my app will be removed from the store if I don't take the necessary measures.

Does anyone have more information on this or know what Google might actually be detecting in my app?

These are the permissions in the manifest:

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<uses-feature android:name="android.permission.WRITE_EXTERNAL_STORAGE" android:required="false" />

Answer 1

same issue here. I am using expo managed workflow. And I found that i was mentioned "REQUEST_INSTALL_PACKAGES" at app.json in my previous uploaded bundle, it was only for internal test, still cause this problem. I solved this issue by adding Confidential permissions and API in 'app content' tab on google play console. Just tell them I was accidentally added REQUEST_INSTALL_PACKAGES in my project . Will not use it in the future.

Answer 2

After communication with the Google Play Team, I was told to publish the new version with 100% fully rolled out directly (instead of phase roll-out), so that the new version would replace the old version with REQUEST_INSTALL_PACKAGES completely. Ony then they will approve the App Review.

Answer 3

In my case. After checked all code, I am sure has remved "REQUEST_INSTALL_PACKAGES" permission. Still rejected. Then I update a new version for open testing, closed testing, Internal testing. Now app has published successfully

Answer 4

Remove the permission from your manifest and in-app functionality. Double check that your app is compliant with all other Developer Program Policies. Sign in to Play Console and submit the update to your app. Alternatively, you may also choose to deactivate these versions to avoid additional enforcements that could occur. You may follow the given steps to deactivate the non-compliant app bundles or APKS:

1. Go to your Play Console.
2. Select the app.
3. Go to the track where the non-compliant APK or app bundle is.
4. Near the top right of the page, click Create new release. (You may need to click Manage track first) If the release with the violating APK is in a draft state, discard the release.
5. Under the new release page, you can choose to: A) Upload a new, compliant APK/app bundle and make sure the new release is rolled out 100% to completely deactivate the non-compliant APK. B) Not upload any new APK/app bundle (publish an empty release to just deactivate the non-compliant old version).
6. Regardless of what you choose in step 5, please make sure that the non-compliant version of APK/app bundle is under the Not included section of this new release. For further guidance, please see the "Not included (app bundles and APKs)" section in the Play Console Help article.
7. To save any changes you make to your release, select Save. When you've finished preparing your release, select Review release.
8. If the non-compliant APK is released to multiple tracks, repeat steps 3-8 in each track.

Answer 5

1. do any of the safe plugins like: open_file_safe or open_filex

if u still have problem like me:

2. for some reason Play console will reject the latest build if you use this permission usage in other tracks (internal, alpha, etc). The REQUEST_INSTALL_PACKAGES detection may referring to existing build in other tracks instead of the latest build. The review feedback message is confusing and not helpful.

In Play console (your affected app), click App Content under Policy

Look for Sensitive permissions and APIs and click Start.

Select APKs and bundles, the list will show you the build and track that contain sensitive permission/API.

Navigate to each affected track, create a new release upload a clean build( with the previous alterations ) to replace existing, submit to review.

Navigate to Publishing overview and check whether the review is pending to submit, if any, send the review.

Then it got accepted

source: https://github.com/crazecoder/open_file/issues/204

Answer 6

In my case, this was related to the open_file in Flutter. This package is using REQUEST_INSTALL_PACKAGES permission in the manifest.

I fixed by using (open_file_safe) :https://pub.dev/packages/open_file_safe

or you can also use open_filex: https://pub.dev/packages/open_filex

both packages are the same as open_file, but .apk file type is not supported. Thus, android.permission.REQUEST_INSTALL_PACKAGES permission is not required.

If you are not using the open_file plugin, you check if the permission REQUEST_INSTALL_PACKAGES is declared in the merged manifest in build/app/intermediates/merged_manifest/ If it is being used remove the permission or else remove that plugin and find any other alternative to that plugin.

Note: If you are facing this issue with a native android project You may be querying all packages with the package manager, this is no longer allowed since Android 8.0. To resolve open the android project of your app in android studio and check the Merged Manifests portion of the AndroidManifest.xml to see if you find that permission is being used in your app if it is being used remove the permission.

If you are still not able to find the plugin or in the merged manifest file so for workaround you can try adding :

<uses-permission
    android:name="android.permission.REQUEST_INSTALL_PACKAGES"
    tools:node="remove" />

In your main manifest file. try submitting the app again on the play store hope it will help.

See more info here. https://support.google.com/googleplay/android-developer/answer/12085295?hl=en

Github Issue: https://github.com/crazecoder/open_file/issues/204

Answer 7

You can use this open_filex. They removed the .apk permission and the request for REQUEST_INSTALL_PACKAGES and add other improvements. This package is more updated then open_file_safe so I suggest to use open_filex.

Answer 8

Add REQUEST_INSTALL_PACKAGES permission with tools:node="remove" to your manifest:

<manifest ... xmlns:tools="http://schemas.android.com/tools">
   ...
   <uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" tools:node="remove" />
   ...
</manifest>

Don't forget to add the tools namespace to the root element of your manifest.