proyecto26 / react-native-inappbrowser

📱InAppBrowser for React Native (Android & iOS) 🤘
https://www.npmjs.com/package/react-native-inappbrowser-reborn
MIT License
1.32k stars 228 forks source link

Android.permission.QUERY_ALL_PACKAGES was automatically added to Manifest #363

Closed sharmal33 closed 2 years ago

sharmal33 commented 2 years ago

Hi! 👋

Firstly, thanks for your work on this project! 🙂

Today I used patch-package to patch react-native-inappbrowser-reborn@3.6.3 for the project I'm working on.

Here is the diff that solved my problem:

diff --git a/node_modules/react-native-inappbrowser-reborn/android/src/main/AndroidManifest.xml b/node_modules/react-native-inappbrowser-reborn/android/src/main/AndroidManifest.xml
index 6aaceca..602e13e 100644
--- a/node_modules/react-native-inappbrowser-reborn/android/src/main/AndroidManifest.xml
+++ b/node_modules/react-native-inappbrowser-reborn/android/src/main/AndroidManifest.xml
@@ -3,7 +3,6 @@
           package="com.proyecto26.inappbrowser">

     <uses-permission android:name="android.permission.INTERNET" />
-    <uses-permission android:name="android.permission.QUERY_ALL_PACKAGES" />

     <application>
         <activity
@@ -16,4 +15,3 @@
         </intent>
     </queries>
 </manifest>
-  
\ No newline at end of file

This issue body was partially generated by patch-package.

ploveland commented 2 years ago

We have the same issue - we are getting warnings from Google requiring the removal of QUERY_ALL_PACKAGES from our app, but it's only in this package. Will this be removed or is it necessary?

mark-quinn commented 2 years ago

Same issue we are seeing too. Is this permission required for this package? Would be good to get this resolved soon as there's a deadline of the 12th of July set by Google.

edgaraskazlauskas commented 2 years ago

Same, I haven't noticed any issues testing without the permission locally, but don't have the courage to release the app with this permission removed to prod.

zeritte commented 2 years ago

I believe adding this to main/AndroidManifest.xml file would solve the issue

<!-- Removing the access InAppBrowser package adds -->
<uses-permission tools:node="remove" android:name="android.permission.QUERY_ALL_PACKAGES" />
jetako commented 2 years ago

I believe the permission allows for this queries tag in AndroidManifest.xml:

    <queries>
        <intent>
            <action android:name="android.support.customtabs.action.CustomTabsService" />
        </intent>
    </queries>

Looks like the query is used to figure out the default Android browser. I tested without the permission on a release build and it still works on my device, but I don't know what happens if Chrome isn't installed.

@zeritte your solution works great! I confirmed that QUERY_ALL_PACKAGES is no longer in the merged manifest. However, I also needed to add xmlns:tools="http://schemas.android.com/tools" to the manifest tag.

I think most users of this library would prefer that sensitive permissions aren't required by default, unless there is a critical need for it.

ncs-ankur commented 2 years ago

Could you please let us now when can we expect the release with this fix? Since it's impacting our live application update.

rugiaDev commented 2 years ago

@jetako @zeritte I removed the QUERY_ALL_PACKAGES permission and stopped using chrome. Then it opened with samsung browser. It seems to open in device default browser. I'm worried because I don't know when that permission will be used...

deepfinessed commented 2 years ago

Commenting here in case it helps others experiencing this issue:

My app was rejected because it included the offending permission, and I had offending releases on multiple tracks, Internal and Closed Beta. Unfortunately, as this issue blocks updates, I could not release an app removing the permission on the internal track because there was an offending release on the Closed Track, and I could not release on the Closed Track because there was an offending release on the Internal Track.

The solution in this case according to Google Play Support is to fill out the form justifying your use of the permission with dummy information - while this will result in a rejection of the release, it does clear the offending bundle from the release track. Subsequent releases without the permission can then go forward.

RayHughes commented 2 years ago

The solution in this case according to Google Play Support is to fill out the form justifying your use of the permission with dummy information - while this will result in a rejection of the release, it does clear the offending bundle from the release track. Subsequent releases without the permission can then go forward.

Seriously thank you for this. I have spent the better part of 2hrs trying to figure out why the new build was being rejected despite it not being in the manifest.

ChristieRobson commented 2 years ago

The solution in this case according to Google Play Support is to fill out the form justifying your use of the permission with dummy information - while this will result in a rejection of the release, it does clear the offending bundle from the release track. Subsequent releases without the permission can then go forward.

Seriously thank you for this. I have spent the better part of 2hrs trying to figure out why the new build was being rejected despite it not being in the manifest.

Has anyone been able to get their app through review since patching?

We were also advised by Google Play support to add a dummy permission declaration. This clears the api allowing us to upload a new version, however on attempting to release it it gets rejected due to dummy permission form.

codal-mpawar commented 2 years ago

@ChristieRobson @RayHughes can you please guys share what you added in the description. Can you please help me on this. I blocked with this issue And video is required ?

RayHughes commented 2 years ago

I have not released a new version yet. However in the form I did link to the issue and stated that the next build does not have the permission in place and I simply filled out the form because it was blocking upload.

You might be getting rejected because you have tracks with an active build that uses the permission. Try checking them.

Herael commented 2 years ago

Hello,

I added in my AndroidManifest.xml the remove of the QUERY_ALL_PACKAGES permission:

<uses-permission tools:node="remove" android:name="android.permission.QUERY_ALL_PACKAGES" />

and I also added a patch like yours but I still get the following error:

Google Api Error: Invalid request - This release includes the QUERY_ALL_PACKAGES permission, which hasn't been declared in Play Console.

Did you also face this error despite the patch and the removal of the condition in the AndroidManifest?

I need to deploy my application but apparently, the library will not be patched soon ... :/

Thanks and have a nice day ! ☀️

EDIT : you will find here a new post with the process that allowed me to get out of this situation : https://github.com/proyecto26/react-native-inappbrowser/pull/335#issuecomment-1196921244

jdnichollsc commented 2 years ago

Sorry for the delay folks, My Mac stopped working :/ BTW, let me publish a new version in a few hours! <3

jdnichollsc commented 2 years ago

Duplicates of #355