UIKit declares high risk / sensitive permission against Google Play policy


UIKit Version:

Our latest release to Google Play was flagged as containing a high risk or sensitive permission that violates policy. This permission is REQUEST_INSTALL_PACKAGES. I took a look at our merged manifest and see that it is SendBird that is declaring this permission. This is an unexpected permission for a chat library to request. Why does SendBird declare this permission in its manifest?

In the meantime, I am going to prevent it from being merged into our app’s manifest with the following line:

    tools:node="remove" />
1 Like

Hi, sorry for the late reply.

The REQUEST_INSTALL_PACKAGES permission was needed when the Android APK file was sent to the channel and installed, but a new UIKit version will be released to delete the permission and change it to a delegation to the app if needed.

Looks like UIKit 3.0.0 still adds this permission! Is it safe to prevent it from being merged as suggested?

ADDED from [com.sendbird.sdk:uikit:3.0.0] /Users/berryventura/.gradle/caches/transforms-3/4a32bee9175f1087e80ef5757f041c04/transformed/jetified-uikit-3.0.0/AndroidManifest.xml:15:22-62

@Brian_Sang When you say “when the Android APK file was sent to the channel and installed”, what is the APK file you are referring to? Or are you simply saying that SendBird UIKit once supported installing arbitrary APKs that users could send each other through the chat interface?

@berry For what it’s worth, I removed this permission in our manifest a few months ago and so far have had no issues.

It means sending an apk file to a channel. When sending an apk file to a channel, it was impossible to install it without the above permission, so the UIKit included the above permission. The above permission has now been changed to what customers need to set up in their app as needed, and the permission has been deleted from UIKit.

The permission was removed from UIKit v2.2.6 and UIKit 3.1.0 respectively.