问题
Recently I've added HMS PushKit SDK with this gradle code:
implementation "com.huawei.hms:push:5.0.4.302"
After That I've noticed that my application added to the list of apps with access to install apps from unknown source (special permission). I checked the AndroidManifest.xml file of one of this library's dependency (com.huawei.hms.base.availableupdate) and saw that it has this special permission:
<!-- If it is Android 8.0, the targetSdkVersion of the application compilation configuration>=26, please be sure to add the following permissions -->
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" />
So Why PushKit needs this permission? I don't want my app to use this permission. And If I remove it with this code is there gonna be a problem (crash):
<uses-permission
android:name="android.permission.REQUEST_INSTALL_PACKAGES"
tools:node="remove"/>
回答1:
UPDATE
If you remove this permission, it will not be affected on Huawei phones,but the HMS Core APK may not be installed on non-Huawei phones.
can it cause to crash in our app because of upgrade failure?--no,Only will make the application cannot be automatically upgraded,have to uninstall and download the new version.
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" />
This permission is used to update the HMS Core and push kit APK. Push kit strongly depends on the HMS Core and push kit APK. If this permission is not granted, applications may fail to be installed, and causing upgrade failures of the HMS and push kit`s APK.
Therefore, this permission is mandatory.
回答2:
android.permission.REQUEST_INSTALL_PACKAGES is a permission that allows a framework or a component on Android, to refer to an external (maven most often) repository, in order to minimise the final installation apk size for the end user by installing source code remotely, instead of packaging it all inside the same apk (for initial download).
Be careful with this permission, because if it is enabled, not on your app, but rather a dependency, it will be rejected. This is because if there are any security issues with your dependency, there is no way for google to pick this up, when you upload the app bundle onto the store. This is because of a remote download of the source code, instead of it being packaged inside the same apk that google can strip.
As a result google will not accept this apk, and it will be rejected (just because google does not know, and has no way of knowing if there is any malicous code being included in the final end user package).
You can try to fork this library, and remove the permission from the manifest, but then you will encounter missing method exceptions.
Your best bet in this case is to find another library that does not install extra source code from a remote maven repository, in order to avoid a google play store rejection.
Looking at this package, it looks like it's an SDK built on top of the Android SDKs. If there is a way for you to get around this, and work directly on the google android sdk, while also making it so the customer does not notice, then that should be fine. At the end of the day the customer does not care how you do it, as long as it works.
来源:https://stackoverflow.com/questions/65977403/why-hms-pushkit-needs-android-permission-request-install-packages