[BUG] Google Play does not allow QUERY_ALL_PACKAGES permission

Nek-12 commented 1 year ago

Bug description

Google play does not allow the QUERY_ALL_PACKAGES permission if your app is not a launcher app.

Reproduction steps

Build a non-launcher app
Declare QUERY_ALL_PACKAGES in your app's manifest
Submit a release build
Watch your app update get rejected and app removed from the play store

Expected behavior

The library either specifies its <queries> string in the manifest of the module, or provides documentation on what strings to include in the <queries> string when having QUERY_ALL_PACKAGES is not an option.

Actual behavior

Nothing, and a single mention in the docs that assumes anyone may add the permission as they please

cioccarellia commented 1 year ago

I'll update the docs & package setup procedure accordingly. The QUERY_ALL_PACKAGES permission is, as you pointed out, kind of a dumb way to access the package list, given that google grants it to a small subset of all applications, and if you have IAP/subscriptions you don't get this automatically, and there might be good reasons for them to do so. I was aware of that but never did anything better.

The other thing is that, by default, the visible packages are basically only the ones your app is designed to interact with. And the problem is that malicious packages are not among these.

The go-to way for doing this should be adding a <query> filter to the application/aar, with the necessary metadata to enable the application to scan at runtime the subset of installed packages which may also be caught by the actual kevlar detection engine.

The tricky bit is that the applications that kevlar antipiracy actually looks for are camouflaged / actually trying to hide with randomized metadata. I tested and found a few queries that make crucial applications visible, so I think I can make it work.

Will keep this up to date.

Sources:

cioccarellia commented 1 year ago

Added docs at https://kevlar-kt.github.io/kevlar/pages/modules/antipiracy/privacy/ and in the :showcase app

Basically adding the given queries to your app will allow Kevlar to receive the packages it's interested in, thus making it work without requiring the QUERY_ALL_PACKAGES permission

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools">

    <queries>
        <package android:name="uret.jasi2169.patcher" />
        <package android:name="zone.jasi2169.uretpatcher" />
        <package android:name="org.creeplays.hack" />
        <package android:name="apps.zhasik007.hack" />
        <package android:name="com.leo.playcard" />
        <package android:name="com.appsara.app" />
        <package android:name="com.xmodgame" />
        <package android:name="org.sbtools.gamehack" />
        <package android:name="com.zune.gamekiller" />
        <package android:name="com.killerapp.gamekiller" />
        <package android:name="cn.lm.sq" />
        <package android:name="com.aag.killer" />
        <package android:name="com.github.oneminusone.disablecontentguard" />
        <package android:name="com.oneminusone.disablecontentguard" />
        <package android:name="madkite.freedom" />
        <package android:name="jase.freedom" />
        <package android:name="cc.jase.freedom" />
        <package android:name="cc.madkite.freedom" />
        <package android:name="cc.cz.madkite.freedom" />
        <package android:name="com.devadvance.rootcloak" />
        <package android:name="com.devadvance.rootcloakplus" />
        <package android:name="com.formyhm.hideroot" />
        <package android:name="com.formyhm.hiderootpremium" />
        <package android:name="com.amphoras.hidemyroot" />
        <package android:name="com.amphoras.hidemyrootadfree" />
        <package android:name="com.zachspong.temprootremovejb" />
        <package android:name="cm.aptoide.pt" />
        <package android:name="com.happymod.apk" />
        <package android:name="happygames.io" />
        <package android:name="org.blackmart.market" />
        <package android:name="com.blackmartalpha" />
        <package android:name="com.mobogenie" />
        <package android:name="me.onemobile.android" />
        <package android:name="com.repodroid.app" />
        <package android:name="com.getjar.reward" />
        <package android:name="com.slideme.sam.manager" />
        <package android:name="ac.market.store" />
        <package android:name="net.appcake" />
        <package android:name="com.appcake" />
        <package android:name="com.zmapp" />
        <package android:name="org.mobilism.android" />
        <package android:name="com.allinone.free" />
        <package android:name="com.chelpus.lackypatch" />
        <package android:name="com.dimonvideo.luckypatcher" />
        <package android:name="com.forpda.lp" />
        <package android:name="com.android.vendinc" />
        <package android:name="com.android.vending.licensing.ILicensingService" />
        <package android:name="com.android.vending.billing.InAppBillingService.LOCK" />

        <intent>
                <action android:name="android.intent.action.SEND_MULTIPLE" />
                <!-- <category android:name="android.intent.category.DEFAULT" /> -->
                <data android:mimeType="*/*" />
        </intent>
    </queries>

    <application
        android:name="com.kevlar.showcase.App"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:theme="@style/AppTheme">

        <activity
            android:name="com.kevlar.showcase.ui.activities.main.MainActivity"
            android:exported="true">

            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>
</manifest>

kevlar-kt / kevlar