[BUG] Android Management API: "Disable" Option Bypasses FORCE_INSTALLED Restriction

BS
Level 1.5: Cupcake

While implementing the Android Management API to configure a critical application as FORCE_INSTALLED, I encountered a significant issue. Under normal circumstances, this configuration prevents users from uninstalling or disabling the app, displaying an "Action not allowed" message when such actions are attempted via the device settings.

However, When the user long-presses the app icon on the launcher, the "Disable" option becomes available, and selecting it successfully disables the application. This behavior undermines the intended enforcement of the FORCE_INSTALLED policy. Moreover, when trying to enable the application, the "Action not allowed" message is displayed.


Steps to Reproduce

  1. Configure an application in the policy with the following parameters:
    "applications": [
      {
        "packageName": "com.example.app",
        "installType": "FORCE_INSTALLED",
        "allowDisable": false
      }
    ]
  2. Apply the policy to a managed device.
  3. Attempt to disable the application through the device settings; the action will be correctly blocked with an "Action not allowed" message.
  4. Long-press the app icon on the launcher and select "Disable" (if the launcher supports this functionality).

Expected Behavior:
The "Disable" option should not appear in the launcher, or if it does, selecting it should trigger the "Action not allowed" message, consistent with the behavior in the device settings.

Observed Behavior
Despite the FORCE_INSTALLED restriction, the application can be disabled via the launcher, bypassing the enforced policy.


This issue was encountered on an Android 13 device. Seems to have been solved on Android 14. The application was also made to be a system application. Also, adding the extension configuration for the application, also fixes the issue, but only one application can have that enabled.

4 REPLIES 4

Lizzie
Google Community Manager
Google Community Manager

Hello @BS,

 

Great to meet you. Thanks for highlighting this. 

 

Just to check as you say you have tried this on Android 14 and it's working, is your ask here if it will be fixed on Android 13 too? Or is this more of an awareness for others? 

 

Thanks so much,

Lizzie



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

BS
Level 1.5: Cupcake

Hello @Lizzie,

On the default launcher in Android 14, the 'disable' option does not appear when long-pressing an application, which prevents the exploit from occurring. However, I don’t believe this indicates that the issue has been inherently resolved in Android 14. My question is whether this issue will be addressed for Android 13 as well.

Thanks

Lizzie
Google Community Manager
Google Community Manager

Thanks so much for confirming @BS. Yeah, looking at this the behaviour UX has changed for this. Personally it looks like it could do with a new policy to display this. I wonder have you spoken to your  EMM about this already?



Welcome to the Community everyone!

Have a question or want to start a conversation, click here.

BS
Level 1.5: Cupcake

The policy remains the same, and we’ve developed our own EMM solution. The documentation provided by AMAPI is comprehensive and made the integration process straightforward and seamless for us.
I do have several other questions I always wanted to ask. I'll create a separate post for that.

Thanks!