Closed Bug 1480079 Opened 7 years ago Closed 7 years ago

Check whether all builds require REQUEST_INSTALL_PACKAGES permission

Categories

(Firefox for Android Graveyard :: Download Manager, enhancement)

Product:
Firefox for Android Graveyard
Component:
Download Manager
Version:
Firefox 63
Platform:
All
Android
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(firefox63 verified)

Status:
VERIFIED FIXED
Milestone:
Firefox 63
Tracking Flags:
Tracking Status
firefox63 --- verified

People

(Reporter: JanH, Assigned: petru)

References

Details

Attachments

(1 file)

Bug 1480079 - Add REQUEST_INSTALL_PACKAGES permission for all builds;
59 bytes, text/x-review-board-request
Details
... so that users can directly install APK files they've downloaded through Firefox by launching the file from the download notification or about:downloads.
Indeed, just tested. Thanks Jan!
Assignee: nobody → petru.lingurar
Status: NEW → ASSIGNED
Attachment #8997424 - Flags: review?(sdaswani) → review?(nchen)
Hmm IIRC every time we add a permission like this the user will have to update manually from the Play Store. This results in a significant number of users not updating at all. In the past we have grouped new permissions together to release at the same time. So I think it's a product decision whether we want to hold off on adding this permission. Maybe we want to open the downloads directory instead of installing the APK directly? Allowing direct APK installs has also been a security concern in the past.
Flags: needinfo?(sdaswani)
(In reply to Jim Chen [:jchen] [:darchons] from comment #3) > Hmm IIRC every time we add a permission like this the user will have to > update manually from the Play Store. This results in a significant number of > users not updating at all. In the past we have grouped new permissions > together to release at the same time. So I think it's a product decision > whether we want to hold off on adding this permission. > > Maybe we want to open the downloads directory instead of installing the APK > directly? Allowing direct APK installs has also been a security concern in > the past. Other than the updater I don't think we're opening anything automatically, though, so users still have to click either the "download finished" notification or the completed download in about:downloads first. So I don't really see the benefit of additionally detouring them via a file manager first. Peeking at Chrome's manifest, they a) do declare that permission b) declare it with <uses-permission-sdk-23>, which might at least avoid a permission bump (if one is really required) on Android versions prior to Marshmallow. With any luck this might also actually work as a runtime permission on later Android versions, especially on O and therefore avoid a permission bump there as well.
Also bug 1478970 landed in Nightly only yesterday, so couldn't we ask around to see whether that affected automatic updates in any way? Plus according to https://developer.android.com/guide/topics/permissions/overview#permission-groups, REQUEST_INSTALL_PACKAGES isn't listed among the "dangerous" permissions that require explicit user consent, so we should be fine anyway, especially if we also switch to declaring it with <uses-permission-sdk-23>.
Comment on attachment 8997424 [details] Bug 1480079 - Add REQUEST_INSTALL_PACKAGES permission for all builds; https://reviewboard.mozilla.org/r/261200/#review268552 Adding `<uses-permission-sdk-23>` sounds like a good plan
Attachment #8997424 - Flags: review?(nchen) → review+
Attachment #8997424 - Flags: review?(sdaswani) → review?(nchen)
Attachment #8997424 - Flags: review?(nchen)
Keywords: checkin-needed
Jim, thanks for flagging this. I believe Jan that it's not a dangerous permission, but I want QA to validate this. Sorina can you validate that the user won't have to manually update?
Flags: needinfo?(sdaswani) → needinfo?(sorina.florean)
Pushed by aiakab@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8865d2752c66 Add REQUEST_INSTALL_PACKAGES permission for all builds; r=jchen
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/8865d2752c66
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox63: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 63
Updated an older Nightly build from the Play store on the following devices: - Xiaomi Mi4i(Android 5.0.2) - Prestigio Grace X5(Android 4.4.2) - Xiaomi Mi Pad 2(Android 5.1 - x86 architecture) - Google Pixel(Android 9) - Samsung Galaxy note8(Android 8.0.0) and no prompt about a new permission were displayed and all was working normally.
Status: RESOLVED → VERIFIED
status-firefox63: fixedverified
Flags: needinfo?(sorina.florean)
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: