[fphhotchips]

I remember when Android was starting to gain popularity (around 1.6 I suppose), one of the key decisions that I really liked was that Google apps would have no more access to the OS than any other apps. There was no preference to Google. This has now all changed.

Further, what's to stop other vendors doing this, possibly without users knowledge? How many users will click "allow" on a permissions box that gives the vendor a huge amount of permissions like this just so that they can use the latest MyTwitFace?

[habosa]

Where has this changed? Google's apps are still built on top of the SDK. The only real change was the centralization of Google Play Services, but that doesn't change the level of OS access at all and 3rd-party developers can still tap in to these services.

[kevingadd]

Play Services having a custom updater and the ability to silently gain more permissions is definitely not something available to average 3rd party developers.

[cmircea]

Both are available. Any app can request complete control over the system, at which point it can do whatever the hell it wants, short of root. Update? Sure thing, install an APK.

Of course the user has to accept your huge list of permissions first.

[estel]

Normal apps can't install any APK without explicit user consent. The Play Store auto-updates in a similar way.

[some_guy_there]

There are various other Android app store apart from the official play Store (Amazon, F-droid, etc). Any app can request permission to install other apps silently, or may be even a newer version of itself. Play Store uses no private API which is not available to other Android developer. Ask your users to download the apk from your website, if Google Play store won't carry your app, and then built-in a mechanism to auto-update at will.

[estel]

Yes, there's a permission to install apps silently (android.permission.INSTALL_PACKAGES), but this isn't a permission that can be granted to a third party app. Other bundled app stores can if they're signed appropriately, or if the device is rooted.

[habosa]

Pretty sure even Facebook used this for a few days when they had their auto-updating beta channel. Nobody seemed to really mind.

[engrenage]

That's not 'silently'.

[jayd16]

Are you sure this is correct? How is this even possible when you can install Play Services on Android versions before Play Services was even conceived. How can you do this on custom AOSP builds?

Play Services must be playing by the same rules as everyone else or it just wouldn't work on as many devices as it does.

[kevingadd]

I'm not an Android dev, but I would assume that Play Store has always had special permissions in order to be able to install applications, so Google need only deploy an updated version of Play Store for both old/new devices, and that updated version of Play Store have the necessary code to use its privileges to install Play Services and grant Play Services special privileges.

[johsoe]

AFAIK system apks are signed with a special key, that gets special privileges.

[nutjob123]

You could write an app which does this, it would just have a huge permissions list.

[fphhotchips]

You're technically correct, which is obviously the best kind. However, on lesser kinds of correctness, I would argue that the Google Services type model at least violates the spirit of that decision. IMHO, the ability to silently add permissions is either a violation of the agreement or a vulnerability in the OS. I doubt any app would last long on the Play store if it did that.