Google’s rules have long held that the Play Store will not distribute third-party app stores, but no policy has ever taken a strict position forbidding apps from installing APKs, as long as users give consent and malware isn’t involved. However, that’s about to change as a new rule takes aim at this capability and limits it to a fairly narrow group of apps.

The change comes as part of the April 2022 Developer Program Policy update and specifies that apps may only be allowed to install APKs if part of their core functionality is to either transfer app packages or enable users to install them.

This effectively boils down to simply saying apps should only have the capability to install an APK if that’s an obvious necessity for the type of app — file managers and web browsers, for example. The counter examples would be things like games, podcast players, camera apps; none of which should need to install other apps on their own.

At the heart of this policy change is an Android OS permission called REQUEST_INSTALL_PACKAGES that has been around since Android 6.0 Marshmallow. If this permission is included in an app’s manifest, meaning the app is declaring it needs this ability, it can trigger an install request that prompts the user to permit an APK installation to continue. Apps that don't declare this permission will not be affected by the policy. However, it's notable that app developers should check that any third-party libraries included in their apps have not added this permission either, including ad networks.

Why is this rule being added? Google hasn’t posted an explanation for the change, but it may be aimed at blocking some maligned tactics that have grown in popularity, like ad networks that attempt to install APKs on devices without directing users to the Play Store.

Google’s new policy goes on to list a set of functionalities and app types that are considered to be acceptable:

  • Web browsing or search; or
  • Communication services that support attachments; or
  • File sharing, transfer or management; or
  • Enterprise device management.

It’s notable that the requirements also specify that self updates, modifications, and bundling of APKs is prohibited; but an exception has been carved out for device management, which generally fits within the realm of enterprise software and deployment tools.

Finally, apps must have Play Store descriptions containing a disclosure about the ability to install apps, and an explanation of the core features that use it.

The new policy is set to go into effect August 11, 2022. However, it’s not clear how these rules will be enforced and if the Play Store will simply block app updates that include the permission, or if existing apps will be unlisted until developers publish new versions of their apps. If history is anything to go by, Google generally prefers to purge apps first and sort out the mess later, which means app developers should be as proactive as possible to avoid complications.

This policy change is coming hot on the heels of another Play Store announcement that apps with outdated API levels will be hidden from search, and it joins another announcement establishing a stricter stance on apps intended for children.