0

so I've been using this free security app called Sophos Intercept X for mobile which is an endpoint security product, on an app that I had been working on. The security app tells me my app can ask android to install another app (Trigger installation) and also starts the app when the device starts (Start at device start). Problem is, I've never specified any kind of those permissions in the AndroidManifest.xml

Below is the list of user permission in my AndroidManifest.xml:

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="com.android.vending.BILLING" />
<uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION"/>

Am I missing something here? Based on my research I would need to have

<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES/>

and/or

<uses-permission android:name="android.permission.INSTALL_PACKAGES/>

in order to install another app within the app.

As for starting the app on boot requires the permission:

<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />

So my question is, is this security app Sophos Intercept X simply not 100% reliable or are there actually other ways that can cause my app to:

  1. Install another app
  2. Start the app once the device starts

Below contains some resources that I've been looking at:

Install Application programmatically on Android

How can I start android application on device boot?

After looking at the merged version I see:

<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />

<uses-permission android:name="android.permission.BIND_GET_INSTALL_REFERRER_SERVICE" />
Mark
  • 3,138
  • 5
  • 19
  • 36
  • "Below is the list of user permission in my AndroidManifest.xml" -- are you looking just at your own manifest, or the merged one (Merged Manifest sub-tab in Android Studio's manifest editor)? – CommonsWare Jun 04 '21 at 18:37
  • 1
    Just my own manifest. I'll see what's in the Merged Manifest – Mark Jun 04 '21 at 18:40
  • So that solves the mystery of why my app starts on boot. – Mark Jun 04 '21 at 18:53
  • 1
    Some library is contributing that. While the color-coding system that Android Studio uses for the merged manifest leaves something to be desired, it might help you determine which library that is. In terms of "Trigger installation"... you would have to ask Sophos what they mean. For example, calling `startActivity()` for an `ACTION_VIEW` `Intent` could request to install an app, if the associated `Uri` points to an app. – CommonsWare Jun 04 '21 at 18:59

0 Answers0