Status: Approved with Issues - Further Action Required
We found issues with your app. You need to review and take action as described below, so that your app is not impacted in the future.
Issue found: Use of permission is not directly related to the core purpose of the app.
We found that your app is not compliant with how REQUEST_INSTALL_PACKAGES permission is allowed to be used. Specifically, the use of the permission is not directly related to the core purpose of the app.
Additionally, follow these steps to bring your app into compliance:
Please remove the use of REQUEST_INSTALL_PACKAGES permission from your app.
About the Request Install Packages Permission
Starting September 29, 2022, your app must be in compliance with the REQUEST_INSTALL_PACKAGES permission or your app may face additional enforcement actions. The REQUEST_INSTALL_PACKAGES permission allows an application to request the installation of app packages. To use this permission, your app’s core functionality must include:
Sending or receiving app packages, AND
Enabling user-initiated installation of app packages.
Permitted functionalities include any of the following:
Web browsing or search
Communication services that support attachments
File sharing, transfer or management
Enterprise device management
The REQUEST_INSTALL_PACKAGES permission may not be used to perform self updates, modifications, or the bundling of other APKs in the asset file unless for device management purposes. All updates or installing of packages must abide by Google Play’s Device and Network Abuse policy and must be initiated and driven by the user.
For more help addressing this issue, read more in our Help Center.
If your app does not install other apps externally, simply add the following permission to the manifest.
<uses-permission
android:name="android.permission.REQUEST_INSTALL_PACKAGES"
tools:node="remove"/>
I faced the same issue a month ago. This is related to the open_file package using REQUEST_INSTALL_PACKAGES permission in the manifest.
Issue: https://github.com/crazecoder/open_file/issues/204
The recommended solution is to use this fork: https://github.com/bertoldofonseca/better_open_file
I faced the same issue yesterdey. This permission used by open_file package.
you can user alternative packages such as better_open_file or open_filex or you can by pass this permission by adding belove code to AndroidManifest.xml:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="{you package name}"
xmlns:tools="http://schemas.android.com/tools">
and in permissions section add this code:
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" tools:node="remove"/>
good luck
If you are going to delete this permission from manifest of your app. You need to do these:
REMEMBER It's unnecessary to remove any pub.dev package which uses REQUEST_INSTALL_PACKAGES permission, after adding this to your manifest
android:name="android.permission.REQUEST_INSTALL_PACKAGES" tools:node="remove"/>
because, they remove all such kinda permission from merged manifest file(make sure that manifest opening tag involve xmlns tools like that
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="YOU_APP_PACKAGE_NAME">
ONE OF THE MOST IMPORTANT STEP:
You need to update all Open Testing, Internal testing and Closed testing (all tracks even if they are not active). Update your Production channel too. You can check that you updated all required ones in Policy -> App content -> App bundles and APKs using sensitive permissions section. If section is not shown here, then you updated all tracks and channels
AFTER DOING JUST THESE SIMPLE BUT REQUIRED STEPS, YOUR NEW VERSION WILL BE ACCEPTED. GUARANTEED
Remove the permission from your manifest and in-app functionality.
Double check that your app is compliant with all other Developer Program Policies.
Sign in to Play Console and submit the update to your app.
Alternatively, you may also choose to deactivate these versions to avoid additional enforcements that could occur. You may follow the given steps to deactivate the non-compliant app bundles or APKS:
Go to your Play Console.
Select the app.
Go to the track where the non-compliant APK or app bundle is.
Near the top right of the page, click Create new release. (You may need to click Manage track first) If the release with the violating APK is in a draft state, discard the release.
Under the new release page, you can choose to: A) Upload a new, compliant APK/app bundle and make sure the new release is rolled out 100% to completely deactivate the non-compliant APK. B) Not upload any new APK/app bundle (publish an empty release to just deactivate the non-compliant old version).
Regardless of what you choose in step 5, please make sure that the non-compliant version of APK/app bundle is under the Not included section of this new release. For further guidance, please see the "Not included (app bundles and APKs)" section in the Play Console Help article.
To save any changes you make to your release, select Save.
When you've finished preparing your release, select Review release.
If the non-compliant APK is released to multiple tracks, repeat steps 3-8 in each track.
Experienced the same issue a week ago. Check your builds in the Internal Testing or any other environments. Because I received the same email, but there was no information about where exactly this permission exists. Because I removed it from production build. But when I wrote to policy status technical support - they answered that the issues in the build in the Internal testing environment. I updated the build for Internal Testing and app in production was accepted.
I don't know why I have to update build in the Internal testing, because I haven't updated it for months.
But rules are rules.
Related
Google not allowed to roll out new build. Giving error sensitive permission issue.
In my flutter app, 'android.permission.REQUEST_INSTALL_PACKAGES' sensitive permission was added by 'open_file' plugin. Earlier i can upload build, but as per google current policy need to declare sensitive permission.
So I removed sensitive permissions which are not required in my app and tried to publish again. Still google didn`t allow to publish the latest build because this permission has been found in my previous testing build. I tried to change the testing build but didn't succeed. When i tried to change testing build that time google show sensitive permission issue in my previous production & previous testing build.
Please suggest me, how can i publish the new build.
Use open_filex package, Remove 'android.permission.REQUEST_INSTALL_PACKAGES' permission from android manifest and upload latest build in app console.
Open filex package has Removed REQUEST_INSTALL_PACKAGES permission in Android to comply with GooglePlay publish policies.
Is anyone got rejected from google play because of REQUEST_INSTALL_PACKAGES permission ?
I removed this permission from my app even removed plugin which used it but still got this rejection.
I checked all android manifest files, even all logs there is no REQUEST_INSTALL_PACKAGES permission
I had the same issue. Actually, there will be some other older build which is containing REQUEST_INSTALL_PACKAGES permission in the Testing(OPEN, CLOSED, INTERNAL) section that's why they are rejecting the app.
You can find such a build in the Policy Status section of the app console.
Btw, To fix this you have to suspend all such kinds of builds.
One way of doing it is, Take a fresh build and upload it to Internal Testing then promote this build to OPEN testing & after then promote it to production from the OPEN testing section.
This way it will exclude the older build and your fresh build will be approved. Added Screenshot for reference.
It may be in some library that you are using, which cannot be controlled, so remove it by add this to your AndroidManifest.xml:
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES"
tools:node="remove"/>
What to do in this Situation?
Already removed the package (open_file) which was casing the problem, but still rejected!
What i have to do anything else in Privacy policy section?
#flutter
Issue found: Permission use is not directly related to your app's core purpose.
We found that your app is not compliant with how REQUEST_INSTALL_PACKAGES permission is allowed to be used. Specifically, the use of the permission is not directly related to the core purpose of the app.
Finally resolved the problem, the main problem was i used a app bundle in open testing track which was casing the rejection. If you are facing this problem simply follow my steps:
Check if there is any sensitive permission's in your app's manifest(merged) file in build folder.
Check in google play console's App Content section where you will find your affected appbundle and verison No. Just go through every policy you submitted.
Check open testing, internal testing and other tracks if those have any affected build
Create a release to the affected track (mine was open testing)
If still got rejected , you can appeal to google from google play console. They will provide more info.
Upload a new, compliant APK/app bundle and make sure the new release is rolled out 100% to completely deactivate the non-compliant APK.
you can try those steps
Go to android/app/src/ the delete debug folder
check manifest file at android\app\src\main\AndroidManifest.xml
remove REQUEST_INSTALL_PACKAGES permission from there
increase app version build and release it again
There is some steps you can follow->
Remove your old build files on both build and android/app/build
Clear previous pub cache and re run flutter pub get
Then rebuild your app. After that check your merged menifest on build folder to confirm if the permission is still there or not. If not submit again. If any previous submit already contains this permission please pause that track ( any track open/closed/internal test)
i have an APP published in play store. This APP has a lib that uses the QUERY_ALL_PACKAGES permission.
So, i remove this permission in my AndroidManifest.xml
<uses-permission android:name="android.permission.QUERY_ALL_PACKAGES" tools:node="remove"
tools:ignore="QueryAllPackagesPermission" />
After that i uploaded a new version to the play console, but it still keeps saying that the QUERY_ALL_PACKAGES permission is present.
My new build: 3603
Note that the QUERY_ALL_PACKAGES permission does not exist in this build
It seems that somehow the problem is still being associated with the previous version where it still had the QUERY_ALL_PACKAGES permission.
ps: BUILD 3494 is a older build
In short, I can't upload a version with updated permissions, because it still asks to fill in the form to use QUERY_ALL_PACKAGES, even removing this permission.
can anyone help?
I had the same issue as well, I ended up following this user's recommendation Updating an app that has sensitive permissions on the Google Play Console . I checked the app functionality, in the description I said I didn't need the functionality anymore with my newest release. I uploaded a bogus youtube video link. After about 5 min I was able to release the newest version without the QUERY_ALL_PACKAGES permission.
I was facing same issue because of my third party packages using Query all packages permission to Solve this
If you are using linux or unix based os then just go to location where flutter third party packages are installed in my case loaction is
~/snap/flutter/common/flutter/.pub-cache/hosted/pub.dartlang.org
Just run the following command in terminal
grep -r QUERY_ALL_PACKAGES *
this will gives all packages pubspec.yaml file path that uses query all packages permission remove or replace that packages
I believe this question describes the same problem, and it was answered.
QUERY_ALL_PACKAGES permission issue while my app doesn't contain it
According to google policy your All active Bundle versions need to be compliant as per google policy,
You just need to update the new version and increase the version number of Your App in all the production and testing(Internal/closed/Open) if any to deactivate the versions using QUERY_ALL_PACKAGES.
Follow this video
https://www.youtube.com/watch?v=mwTefutgXSU
Recently I've added HMS PushKit SDK with this gradle code:
implementation "com.huawei.hms:push:5.0.4.302"
After That I've noticed that my application added to the list of apps with access to install apps from unknown source (special permission). I checked the AndroidManifest.xml file of one of this library's dependency (com.huawei.hms.base.availableupdate) and saw that it has this special permission:
<!-- If it is Android 8.0, the targetSdkVersion of the application compilation configuration>=26, please be sure to add the following permissions -->
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" />
So Why PushKit needs this permission? I don't want my app to use this permission. And If I remove it with this code is there gonna be a problem (crash):
<uses-permission
android:name="android.permission.REQUEST_INSTALL_PACKAGES"
tools:node="remove"/>
UPDATE
If you remove this permission, it will not be affected on Huawei phones,but the HMS Core APK may not be installed on non-Huawei phones.
can it cause to crash in our app because of upgrade failure?--no,Only will make the application cannot be automatically upgraded,have to uninstall and download the new version.
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" />
This permission is used to update the HMS Core and push kit APK. Push kit strongly depends on the HMS Core and push kit APK. If this permission is not granted, applications may fail to be installed, and causing upgrade failures of the HMS and push kit`s APK.
Therefore, this permission is mandatory.
android.permission.REQUEST_INSTALL_PACKAGES is a permission that allows a framework or a component on Android, to refer to an external (maven most often) repository, in order to minimise the final installation apk size for the end user by installing source code remotely, instead of packaging it all inside the same apk (for initial download).
Be careful with this permission, because if it is enabled, not on your app, but rather a dependency, it will be rejected. This is because if there are any security issues with your dependency, there is no way for google to pick this up, when you upload the app bundle onto the store. This is because of a remote download of the source code, instead of it being packaged inside the same apk that google can strip.
As a result google will not accept this apk, and it will be rejected (just because google does not know, and has no way of knowing if there is any malicous code being included in the final end user package).
You can try to fork this library, and remove the permission from the manifest, but then you will encounter missing method exceptions.
Your best bet in this case is to find another library that does not install extra source code from a remote maven repository, in order to avoid a google play store rejection.
Looking at this package, it looks like it's an SDK built on top of the Android SDKs. If there is a way for you to get around this, and work directly on the google android sdk, while also making it so the customer does not notice, then that should be fine. At the end of the day the customer does not care how you do it, as long as it works.