Remote app install via Google Play Store

Pearshaped

On stock android, one can remotely install apps via play.google.com on any phone connected to the google account. (You just sign in to the website and then click "install" and the app is installed on the phone without any further confirmation).

To the best of my knowledge, it is impossible to prevent this using the settings in the play store app.

To me (and I'm sure I'm not alone), this is an anti-feature, given that malicious apps frequently end up on the play store. If someone is able to arbitrarily install apps on my phone remotely, then taking over my google account would also mean taking over my phone.

How is this handled in GrapheneOS?

From my understanding, sandboxed Google Play Store must ask permission for each app it installs. So the remote installation of apps via play.google.com should be impossible without confirmation on the phone. Is this correct?

Follow up question: I have read that for some online banking apps etc to work, some sandboxing features must be disabled. Does this change anything about the answer to the above question?

wizoatk

The permission that I believe you're asking about is:

Settings > App > Special app access > Install unknown apps > Google Play Store > Allow from this source

Disable this if you don't want Play Store to install any new apps.

Pearshaped

Thank you for your responses!
I'll try to rephrase your resonses to make sure I understood you correctly because I think there might be a contradiction here in regard to how permissions to install apps work or I don't understand the whole picture.

wizoatk

Settings > App > Special app access > Install unknown apps > Google Play Store > Allow from this source
If I understand you correctly, the permission to install apps is granted once in settings and, from that point on, the play store app has carte blanche in regard to which apps it installs. Conclusion: remote install works.

Skorp

The function works the same as on stock with the exception you noted: it requires manual user confirmation within the Play Store app to install any app.
If I understand you correctly, the user has to confirm every single app install manually when using the play store app. (How does this work? Is this a system prompt or is this somehow part of the play store? Do you have a screenshot, perhaps?)
Conclusion: remote app install does NOT work.

Am I missing anything?

Removing exploit protections does not affect the app install confirmation prompt. Those exploit protections would typically only be disabled on a per-app basis, so would not affect the Play Store anyway.

This is really helpful, thanks! So I would just turn off the exploit protections for the banking app and not for Google Play Services or even the Play Store.

Skorp

The function works the same as on stock with the exception you noted: it requires manual user confirmation within the Play Store app to install any app.

To your second question:
Removing exploit protections does not affect the app install confirmation prompt. Those exploit protections would typically only be disabled on a per-app basis, so would not affect the Play Store anyway.

Let me know if that answers your questions sufficiently :)

Skorp

Happy to clarify.

The function for triggering app installs from the Play Store (like in a browser) works as it does on stock.
For both the Stock OS and for GOS, any 3rd party app store cannot install apps without the per-app install confirmation prompt.
First party app stores for an OS do not need to provide this confirmation prompt. On GOS, the only first party app store is App Store. Meaning, Play Store, Accrescent, etc., all require the confirmation prompt. On the stock OS, the first party app store is Play Store, hence it does not require that confirmation prompt.

The permission that @wizoatk mentioned is the ability to install apps at all, not anything more.

Pearshaped

Skorp

Thank you very much for your clarification, it all makes sense now.

I love the way this works in GOS.

I'm on the fence about getting a Pixel 10 for GOS and this topic was important to me.

Now to hoping that Google finally releases the Android 16 QPR1 source soon. I'll probably just pull the trigger on the phone and use it with stock android as a secondary phone until GOS is available for it.

Please feel free to mark this topic as resolved, if appropriate. Thanks again!