1# 4\. Application Packaging Compatibility 2 3Devices implementations: 4 5* [C-0-1] MUST be capable of installing and running Android “.apk” files as 6generated by the “aapt” tool included in the 7[official Android SDK]( 8http://developer.android.com/tools/help/index.html). 9 * As the above requirement may be challenging, device implementations are 10 RECOMMENDED to use the AOSP reference implementation's package management 11 system. 12 13Device implementations: 14 15* [C-0-2] MUST support verifying “.apk” files using the 16[APK Signature Scheme v3](https://source.android.com/security/apksigning/v3.html) 17, [APK Signature Scheme v2](https://source.android.com/security/apksigning/v2.html) 18and [JAR signing]( 19https://source.android.com/security/apksigning/v2.html#v1-verification). 20* [C-0-3] MUST NOT extend either the 21[.apk](http://developer.android.com/guide/components/fundamentals.html), 22[Android Manifest]( 23http://developer.android.com/guide/topics/manifest/manifest-intro.html), 24[Dalvik bytecode](https://android.googlesource.com/platform/dalvik/), or 25RenderScript bytecode formats in such a way that would prevent those files from 26installing and running correctly on other compatible devices. 27* [C-0-4] MUST NOT allow apps other than the current 28"installer of record" for the package to silently uninstall the app without any 29user confirmation, as documented in the SDK for the [`DELETE_PACKAGE`]( 30https://developer.android.com/reference/android/Manifest.permission.html#DELETE_PACKAGES) 31permission. The only exceptions are the system package verifier app handling 32[PACKAGE_NEEDS_VERIFICATION]( 33https://developer.android.com/reference/android/content/Intent.html#ACTION_PACKAGE_NEEDS_VERIFICATION) 34intent and the storage manager app handling [ACTION_MANAGE_STORAGE]( 35https://developer.android.com/reference/android/os/storage/StorageManager.html#ACTION_MANAGE_STORAGE) 36intent. 37 38* [C-0-5] MUST have an activity that handles the 39[`android.settings.MANAGE_UNKNOWN_APP_SOURCES`](http://developer.android.com/reference/android/provider/Settings.html#ACTION_MANAGE_UNKNOWN_APP_SOURCES) 40intent. 41 42* [C-0-6] MUST NOT install application packages from unknown 43sources, unless the app that [requests the installation](https://developer.android.com/reference/android/content/Intent.html#ACTION_INSTALL_PACKAGE) 44meets all the following requirements: 45 46 * It MUST declare the [`REQUEST_INSTALL_PACKAGES`](http://developer.android.com/reference/android/Manifest.permission.html#REQUEST_INSTALL_PACKAGES) 47 permission or have the `android:targetSdkVersion` set at 24 or lower. 48 * It MUST have been granted permission by the user to install apps from 49 unknown sources. 50 51* SHOULD provide a user affordance to grant/revoke the permission to 52install apps from unknown sources per application, but MAY choose to implement 53this as a no-op and return `RESULT_CANCELED` for [`startActivityForResult()`]( 54http://developer.android.com/reference/android/app/Activity.html#startActivityForResult%28android.content.Intent,int%29), 55if the device implementation does not want to allow users to have this choice. 56However, even in such cases, they SHOULD indicate to the user why there is no 57such choice presented. 58 59* [C-0-7] MUST display a warning dialog with the warning string that is 60provided through the system API `PackageManager.setHarmfulAppWarning` 61to the user before launching an activity in an application that has been marked 62by the same system API `PackageManager.setHarmfulAppWarning` as potentially 63harmful. 64* SHOULD provide a user affordance to choose to uninstall or launch an 65application on the warning dialog. 66