[BUG] Android Management API: "Disable" Option Bypasses FORCE_INSTALLED Restriction
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
While implementing the Android Management API to configure a critical application as FORCE_INSTALLED, I encountered a significant issue. Under normal circumstances, this configuration prevents users from uninstalling or disabling the app, displaying an "Action not allowed" message when such actions are attempted via the device settings.
However, When the user long-presses the app icon on the launcher, the "Disable" option becomes available, and selecting it successfully disables the application. This behavior undermines the intended enforcement of the FORCE_INSTALLED policy. Moreover, when trying to enable the application, the "Action not allowed" message is displayed.
Steps to Reproduce
- Configure an application in the policy with the following parameters:
"applications": [ { "packageName": "com.example.app", "installType": "FORCE_INSTALLED", "allowDisable": false } ] - Apply the policy to a managed device.
- Attempt to disable the application through the device settings; the action will be correctly blocked with an "Action not allowed" message.
- Long-press the app icon on the launcher and select "Disable" (if the launcher supports this functionality).
Expected Behavior:
The "Disable" option should not appear in the launcher, or if it does, selecting it should trigger the "Action not allowed" message, consistent with the behavior in the device settings.
Observed Behavior
Despite the FORCE_INSTALLED restriction, the application can be disabled via the launcher, bypassing the enforced policy.
This issue was encountered on an Android 13 device. Seems to have been solved on Android 14. The application was also made to be a system application. Also, adding the extension configuration for the application, also fixes the issue, but only one application can have that enabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
Hello @BS,
Great to meet you. Thanks for highlighting this.
Just to check as you say you have tried this on Android 14 and it's working, is your ask here if it will be fixed on Android 13 too? Or is this more of an awareness for others?
Thanks so much,
Lizzie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
5 hours ago
Hello @Lizzie,
On the default launcher in Android 14, the 'disable' option does not appear when long-pressing an application, which prevents the exploit from occurring. However, I don’t believe this indicates that the issue has been inherently resolved in Android 14. My question is whether this issue will be addressed for Android 13 as well.
Thanks
- [BUG] Android Management API: "Disable" Option Bypasses FORCE_INSTALLED Restriction in General discussions
- After creating a new user via createAndManageUser, how can the DISALLOW_OUTGOING_CALLS restriction be removed? in General discussions
- Issue with Copy/Paste Restriction in Intune MDM on Android Devices (Clipboard Editor Interaction) in General discussions
- Enabling Location Accuracy via EMM in General discussions
- How can I prevent a factory reset triggered by hardware buttons (Power + Volume) on an Android device? in General discussions