Merge pull request #3393 from dpalou/MOBILE-4134

MOBILE-4134 android: Add script to remove INSTALL_PACKAGES permission

Author: crazyserver

config.xml

@@ -63,6 +63,7 @@
         <resource-file src="resources/android/icon/drawable-hdpi-smallicon.png" target="app/src/main/res/mipmap-hdpi/smallicon.png" />
         <resource-file src="resources/android/icon/drawable-xhdpi-smallicon.png" target="app/src/main/res/mipmap-xhdpi/smallicon.png" />
         <resource-file src="resources/android/xml/network_security_config.xml" target="app/src/main/res/xml/network_security_config.xml" />
+        <hook src="scripts/android/remove_permissions.js" type="after_prepare" />
         <edit-config file="AndroidManifest.xml" mode="merge" target="/manifest/application/activity[@android:name='MainActivity']">
             <activity android:configChanges="orientation|keyboardHidden|keyboard|screenSize|locale|screenLayout|smallestScreenSize" android:exported="true" />
         </edit-config>

package-lock.json

@@ -172,7 +172,8 @@
     "terser-webpack-plugin": "4.2.3",
     "ts-jest": "26.4.1",
     "ts-node": "8.3.0",
-    "typescript": "3.9.9"
+    "typescript": "3.9.9",
+    "xml2js": "0.4.23"
   },
   "engines": {
     "node": ">=14.15.0 <15"

package.json

@@ -0,0 +1,51 @@
+// (C) Copyright 2015 Moodle Pty Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/**
+ * Script to remove permissions for APK files. Implementation obtained from:
+ * https://stackoverflow.com/a/67530993/5820052
+ */
+const fs = require('fs/promises');
+const xml2js = require('xml2js');
+
+const REMOVE_PERMISSIONS = [
+    'android.permission.REQUEST_INSTALL_PACKAGES',
+];
+
+module.exports = async function(context) {
+    const root = context.opts.projectRoot;
+    const manifestPath = root + '/platforms/android/app/src/main/AndroidManifest.xml';
+
+    const manifestXml = await fs.readFile(manifestPath);
+    const manifest = await xml2js.parseStringPromise(manifestXml);
+
+    const usesPermissions = manifest.manifest['uses-permission'];
+    if (Array.isArray(usesPermissions)) {
+        manifest.manifest['uses-permission'] = usesPermissions.filter(usesPermission => {
+            const attrs = usesPermission.$ || {};
+            const name = attrs['android:name'];
+
+            if (REMOVE_PERMISSIONS.includes(name)) {
+                console.log(`Removing permission "${name}" from AndroidManifest.xml`);
+                return false;
+            } else {
+                return true;
+            }
+        });
+    }
+
+    const newManifest = (new xml2js.Builder()).buildObject(manifest);
+
+    await fs.writeFile(manifestPath, newManifest);
+}

scripts/android/remove_permissions.js

@@ -1471,6 +1471,7 @@
   "core.cannotconnecttrouble": "local_moodlemobileapp",
   "core.cannotconnectverify": "local_moodlemobileapp",
   "core.cannotdownloadfiles": "local_moodlemobileapp",
+  "core.cannotinstallapk": "local_moodlemobileapp",
   "core.cannotlogoutpageblocks": "local_moodlemobileapp",
   "core.cannotopeninapp": "local_moodlemobileapp",
   "core.cannotopeninappdownload": "local_moodlemobileapp",

scripts/langindex.json

@@ -18,6 +18,7 @@
     "cannotconnecttrouble": "We're having trouble connecting to your site.",
     "cannotconnectverify": "<strong>Please check the address is correct.</strong>",
     "cannotdownloadfiles": "File downloading is disabled. Please contact your site administrator.",
+    "cannotinstallapk": "For security reasons, it is not allowed to install unknown apps from the Moodle app. Please open the file using a browser.",
     "cannotlogoutpageblocks": "Please save or discard your changes before continuing.",
     "cannotopeninapp": "This file may not work as expected on this device. Would you like to open it anyway?",
     "cannotopeninappdownload": "This file may not work as expected on this device. Would you like to download it anyway?",

src/core/lang.json

@@ -27,6 +27,7 @@ import { CoreConstants } from '@/core/constants';
 import { CoreError } from '@classes/errors/error';
 import { makeSingleton, Translate } from '@singletons';
 import { CoreNetworkError } from '@classes/errors/network-error';
+import { CoreMimetypeUtils } from './utils/mimetype';
 
 /**
  * Provider to provide some helper functions regarding files and packages.
@@ -303,18 +304,22 @@ export class CoreFileHelperProvider {
     }
 
     /**
-     * Whether the file has to be opened in browser (external repository).
-     * The file must have a mimetype attribute.
+     * Whether the file has to be opened in browser.
      *
      * @param file The file to check.
      * @return Whether the file should be opened in browser.
      */
     shouldOpenInBrowser(file: CoreWSFile): boolean {
-        if (!file || !('isexternalfile' in file) || !file.isexternalfile || !file.mimetype) {
+        if (!file.mimetype) {
             return false;
         }
 
         const mimetype = file.mimetype;
+        if (!('isexternalfile' in file) || !file.isexternalfile) {
+            return mimetype === 'application/vnd.android.package-archive' ||
+                CoreMimetypeUtils.getFileExtension(file.filename ?? '') === 'apk';
+        }
+
         if (mimetype.indexOf('application/vnd.google-apps.') != -1) {
             // Google Docs file, always open in browser.
             return true;

src/core/services/file-helper.ts

@@ -34,6 +34,7 @@ import { CoreFileEntry } from '@services/file-helper';
 import { CoreConstants } from '@/core/constants';
 import { CoreWindow } from '@singletons/window';
 import { CoreColors } from '@singletons/colors';
+import { CoreError } from '@classes/errors/error';
 
 type TreeNode<T> = T & { children: TreeNode<T>[] };
 
@@ -958,6 +959,8 @@ export class CoreUtilsProvider {
             this.openInApp(path);
 
             return;
+        } else if (extension === 'apk' && CoreApp.isAndroid()) {
+            throw new CoreError(Translate.instant('core.cannotinstallapk'));
         }
 
         // Path needs to be decoded, the file won't be opened if the path has %20 instead of spaces and so.