1# 4\. Application Packaging Compatibility
2
3Devices implementations:
4
5*    [C-0-1] MUST be capable of installing and running Android “.apk” files as
6generated by the “aapt” tool included in the
7[official Android SDK](
8http://developer.android.com/tools/help/index.html).
9   *   As the above requirement may be challenging, device implementations are
10   RECOMMENDED to use the AOSP reference implementation's package management
11   system.
12
13Device implementations:
14
15*    [C-0-2] MUST support verifying “.apk” files using the
16[APK Signature Scheme v3](https://source.android.com/security/apksigning/v3.html)
17, [APK Signature Scheme v2](https://source.android.com/security/apksigning/v2.html)
18and [JAR signing](
19https://source.android.com/security/apksigning/v2.html#v1-verification).
20*    [C-0-3] MUST NOT extend either the
21[.apk](http://developer.android.com/guide/components/fundamentals.html),
22[Android Manifest](
23http://developer.android.com/guide/topics/manifest/manifest-intro.html),
24[Dalvik bytecode](https://android.googlesource.com/platform/dalvik/), or
25RenderScript bytecode formats in such a way that would prevent those files from
26installing and running correctly on other compatible devices.
27*    [C-0-4] MUST NOT allow apps other than the current
28"installer of record" for the package to silently uninstall the app without any
29user confirmation, as documented in the SDK for the [`DELETE_PACKAGE`](
30https://developer.android.com/reference/android/Manifest.permission.html#DELETE_PACKAGES)
31permission. The only exceptions are the system package verifier app handling
32[PACKAGE_NEEDS_VERIFICATION](
33https://developer.android.com/reference/android/content/Intent.html#ACTION_PACKAGE_NEEDS_VERIFICATION)
34intent and the storage manager app handling [ACTION_MANAGE_STORAGE](
35https://developer.android.com/reference/android/os/storage/StorageManager.html#ACTION_MANAGE_STORAGE)
36intent.
37
38*    [C-0-5] MUST have an activity that handles the
39[`android.settings.MANAGE_UNKNOWN_APP_SOURCES`](http://developer.android.com/reference/android/provider/Settings.html#ACTION_MANAGE_UNKNOWN_APP_SOURCES)
40intent.
41
42*    [C-0-6] MUST NOT install application packages from unknown
43sources, unless the app that [requests the installation](https://developer.android.com/reference/android/content/Intent.html#ACTION_INSTALL_PACKAGE)
44meets all the following requirements:
45
46    *   It MUST declare the [`REQUEST_INSTALL_PACKAGES`](http://developer.android.com/reference/android/Manifest.permission.html#REQUEST_INSTALL_PACKAGES)
47    permission or have the `android:targetSdkVersion` set at 24 or lower.
48    *   It MUST have been granted permission by the user to install apps from
49    unknown sources.
50
51*    SHOULD provide a user affordance to grant/revoke the permission to
52install apps from unknown sources per application, but MAY choose to implement
53this as a no-op and return `RESULT_CANCELED` for [`startActivityForResult()`](
54http://developer.android.com/reference/android/app/Activity.html#startActivityForResult%28android.content.Intent,int%29),
55if the device implementation does not want to allow users to have this choice.
56However, even in such cases, they SHOULD indicate to the user why there is no
57such choice presented.
58
59*    [C-0-7] MUST display a warning dialog with the warning string that is
60provided through the system API `PackageManager.setHarmfulAppWarning`
61to the user before launching an activity in an application that has been marked
62by the same system API `PackageManager.setHarmfulAppWarning` as potentially
63harmful.
64*    SHOULD provide a user affordance to choose to uninstall or launch an
65application on the warning dialog.
66