1## 9.4\. Alternate Execution Environments
2
3Device implementations MUST keep consistency of the Android security and
4permission model, even if they include runtime environments that execute
5applications using some other software or technology than the Dalvik Executable
6Format or native code. In other words:
7
8*    [C-0-1] Alternate runtimes MUST themselves be Android applications,
9and abide by the standard Android security model, as described elsewhere
10in [section 9](#9_security_model_compatibility).
11
12*    [C-0-2] Alternate runtimes MUST NOT be granted access to resources
13protected by permissions not requested in the runtime’s `AndroidManifest.xml`
14file via the <`uses-permission`> mechanism.
15
16*    [C-0-3] Alternate runtimes MUST NOT permit applications to make use of
17features protected by Android permissions restricted to system applications.
18
19*    [C-0-4] Alternate runtimes MUST abide by the Android sandbox model
20and installed applications using an alternate runtime MUST NOT
21reuse the sandbox of any other app installed on the device, except through
22the standard Android mechanisms of shared user ID and signing certificate.
23
24*    [C-0-5] Alternate runtimes MUST NOT launch with, grant, or be granted
25access to the sandboxes corresponding to other Android applications.
26
27*    [C-0-6] Alternate runtimes MUST NOT be launched with, be granted, or grant
28to other applications any privileges of the superuser (root), or of any other
29user ID.
30
31*    [C-0-7] When the `.apk` files of alternate runtimes are included in the
32system image of device implementations, it MUST be signed with a key distinct
33from the key used to sign other applications included with the device
34implementations.
35
36*    [C-0-8] When installing applications, alternate runtimes MUST obtain
37user consent for the Android permissions used by the application.
38
39*    [C-0-9] When an application needs to make use of a device resource for
40which there is a corresponding Android permission (such as Camera, GPS, etc.),
41the alternate runtime MUST inform the user that the application will be able to
42access that resource.
43
44*    [C-0-10] When the runtime environment does not record application
45capabilities in this manner, the runtime environment MUST list all permissions
46held by the runtime itself when installing any application using that runtime.
47
48*    Alternate runtimes SHOULD install apps via the `PackageManager` into
49separate Android sandboxes (Linux user IDs, etc.).
50
51*    Alternate runtimes MAY provide a single Android sandbox shared by all
52applications using the alternate runtime.
53