Remove QUERY_ALL_PACKAGES permission

[androideveloper]

What is the current behavior?

All apps that are using react-native-inappbrowser dependency automatically include the dangerous QUERY_ALL_PACKAGES permission and need to explain why they are using it or the apps will be removed from July 2022.

What is the new behavior?

We can safely remove this permission, as we only need to query the browsers that support custom tabs and having

        <intent>
            <action android:name="android.support.customtabs.action.CustomTabsService" />
        </intent>

is enough for that.

See https://developer.android.com/training/package-visibility/use-cases#open-urls-custom-tabs

However, you might want to check whether the device has a browser that supports Custom Tabs, or select a specific browser to launch with Custom Tabs using CustomTabsClient.getPackageName(). In those cases, include the following element as part of the element in your manifest.

Fixes #311

[jdnichollsc]

Thanks for your amazing contribution mate! <3

[androideveloper]

hey @jdnichollsc . Do you have any plans to release a new version soon to include this change?

[jdnichollsc]

Hello mate, hope you're doing well
Oh sorry for the delay, I'm taking some vacations but let me try to do that as soon as possible, in the meantime please point to the develop branch of this repository

Best,
Juan

[androideveloper]

Hi @jdnichollsc .
No worries, enjoy your vacation! I think the deadline from Google is April 5, where we need to submit the explanation or remove the permission. We can also remove the permission from our side, but it would be nice to have the library bumped instead.

[Adnan-Bacic]

Hi @jdnichollsc . No worries, enjoy your vacation! I think the deadline from Google is April 5, where we need to submit the explanation or remove the permission. We can also remove the permission from our side, but it would be nice to have the library bumped instead.

they have updated it. in the link you sent it now says:

Effective July 1, 2022

Due to COVID-19 related considerations, enforcement for apps that target Android 11 (API level 30) and request QUERY_ALL_PACKAGES will not start until July 1, 2022.

so there should be enough time to release a version with these changes.

[seanbaergen]

It seems that as of today (April 5) AppCenter won't allow my app to be released to google play now because of this permission (error: "This release includes the QUERY_ALL_PACKAGES permission, which hasn't been declared in Play Console."). Does anyone know if it is possible to declare it on google play yet or will that not be possible until July 1?

[honzajerabek]

I'm also getting my app rejected because of this permission now. It passed the previous release a week ago

[jdnichollsc]

Hello folks, please keep the discussion here #311 (comment)

Thank you for your patience! <3

[voxspox]

Hi @jdnichollsc
when do you plan to release this fix? I am thinking about adding a patch or waiting for the new version

[harveyconnor]

When will this be on npm?

[Dema1348]

please create a new release with this fix, the dead line is approaching

[tommyrharper]

Awesome thank! But we need to get this published ASAP, or our app will be removed from the App Store.

[sniravj]

This is still not released. Best work around till then is to create patch file for this node module in your git.

In your project folder go to node modules folder and edit the AndroidManifest.xml file there
node_modules\react-native-inappbrowser-reborn\android\src\main\AndroidManifest.xml

Remove this whole line

in terminal run this
npx patch-package react-native-inappbrowser-reborn --use-yarn

commit the patch file in your git, and voila. My app got accepted by Google without any issue this time

[f1sh1918]

@sniravj

your command created successfully a patch file. I ran yarn android and the permission was removed from manifest. But when i run another yarn install and then yarn android the permission will be listed again. Do i have to add an additional command to execute the patch file?

Do i need yarn 2.x for applying patches properly

Update: I just had to follow these instruction for yarn
https://www.npmjs.com/package/patch-package

[sonywijaya]

@sniravj

your command created successfully a patch file. I ran yarn android and the permission was removed from manifest. But when i run another yarn install and then yarn android the permission will be listed again. Do i have to add an additional command to execute the patch file?

Do i need yarn 2.x for applying patches properly

Update: I just had to follow these instruction for yarn https://www.npmjs.com/package/patch-package

On your package.json add
"postinstall": "npx patch-package"
on scripts

{
    // rest of code
    "scripts": {
         // rest of code
         "postinstall": "npx patch-package"
}

[manoelrpn]

When will this PR be published in the release?

[harveyconnor]

NEVER!

[swikars1]

just patch the package brothers

[koreus7]

I had to make a fork because this has not been released yet. The Google Play deadline is here - please release a new version.

[allanzi]

I've just created this patch package

diff --git a/node_modules/react-native-inappbrowser-reborn/android/src/main/AndroidManifest.xml b/node_modules/react-native-inappbrowser-reborn/android/src/main/AndroidManifest.xml
index 6aaceca..602e13e 100644
--- a/node_modules/react-native-inappbrowser-reborn/android/src/main/AndroidManifest.xml
+++ b/node_modules/react-native-inappbrowser-reborn/android/src/main/AndroidManifest.xml
@@ -3,7 +3,6 @@
           package="com.proyecto26.inappbrowser">
 
     <uses-permission android:name="android.permission.INTERNET" />
-    <uses-permission android:name="android.permission.QUERY_ALL_PACKAGES" />
 
     <application>
         <activity
@@ -16,4 +15,3 @@
         </intent>
     </queries>
 </manifest>
-  
\ No newline at end of file

[Herael]

Hello,

I added in my AndroidManifest.xml the remove of the QUERY_ALL_PACKAGES permission:

<uses-permission tools:node="remove" android:name="android.permission.QUERY_ALL_PACKAGES" />

and I also added a patch like yours @allanzi but I still get the following error:

Google Api Error: Invalid request - This release includes the QUERY_ALL_PACKAGES permission, which hasn't been declared in Play Console.

Did you also face this error despite the patch and the removal of the condition in the AndroidManifest?

I need to deploy my application quickly but apparently, the library will not be patched soon ... :/

Thanks and have a nice day ! ☀️

[andac-ozcan]

Hello,

I added in my AndroidManifest.xml the remove of the QUERY_ALL_PACKAGES permission:

<uses-permission tools:node="remove" android:name="android.permission.QUERY_ALL_PACKAGES" />

and I also added a patch like yours @allanzi but I still get the following error:

Google Api Error: Invalid request - This release includes the QUERY_ALL_PACKAGES permission, which hasn't been declared in Play Console.

Did you also face this error despite the patch and the removal of the condition in the AndroidManifest?

I need to deploy my application quickly but apparently, the library will not be patched soon ... :/

Thanks and have a nice day ! ☀️

Hey Hereal, I'm in exact same situation. I'm not able to see QUERY_ALL_PACKAGES permission in my AndroidManifest.xml anymore after that fix. Searched that keyword in entire node_modules and only inappbrowser was using it. However PlayStore somehow finding it in my builds. Maybe it's a PlayStore cache issue or something like that, idk.

Let me know if you finds any solution. In the meantime I submit my permission request from PlayStore with an explanation, we'll see.

[a613]

Searched that keyword in entire node_modules and only inappbrowser was using it. However PlayStore somehow finding it in my builds. Maybe it's a PlayStore cache issue or something like that, idk.

Ran into this as well. Seems like the Play Store gets confused. This is the reply I got from support when I asked about it:

After checking it seems that you are already able to submit your update for review. Please note that if you plan to not use the QUERY_ALL_PACKAGES permission in your future updates for all tracks, you will need to declare and submit the declaration form again stating that you won’t be using this permission.
As for your question, you may view your app content page then manage the sensitive permissions and APIs. You will then be able to view the app bundle that is currently using your permissions.
As per the error you are receiving, since you will not be using the permission to your new release, you will need to indicate this in the form as well.

This is relation to this error encountered by fastlane when uploading a build:

Google Api Error: Invalid request - This release includes the QUERY_ALL_PACKAGES permission, which hasn't been declared in Play Console.

The patch-package solution is the best option we have because it's quick and effective. Then to solve the Play Store error it seems like submitting with an explanation that the permission isn't used anymore is the next step.

[mohamed2m2018]

why this is not released yet? @jdnichollsc

[Herael]

I'm coming back to you, it seems that @a613's solution associated with my previous actions is right, my build just got accepted without any fastlane errors! 🥳

What I did:

• Add the permission removal in the AndroidManifest.xml file:

<uses-permission tools:node="remove" android:name="android.permission.QUERY_ALL_PACKAGES" />

• Added a patch from the library using patch-package

$ yarn patch-package react-native-inappbrowser-reborn

Thanks to @sharmal33, here is the content of the patch used :

diff --git a/node_modules/react-native-inappbrowser-reborn/android/src/main/AndroidManifest.xml b/node_modules/react-native-inappbrowser-reborn/android/src/main/AndroidManifest.xml
index 6aaceca..602e13e 100644
--- a/node_modules/react-native-inappbrowser-reborn/android/src/main/AndroidManifest.xml
+++ b/node_modules/react-native-inappbrowser-reborn/android/src/main/AndroidManifest.xml
@@ -3,7 +3,6 @@
           package="com.proyecto26.inappbrowser">
 
     <uses-permission android:name="android.permission.INTERNET" />
-    <uses-permission android:name="android.permission.QUERY_ALL_PACKAGES" />
 
     <application>
         <activity
@@ -16,4 +15,3 @@
         </intent>
     </queries>
 </manifest>
-  
\ No newline at end of file

• Filling the form on the Play Console describing the desired uses of the QUERY_ALL_PACKAGES permission, for my part, I wrote that we do not wish to use it, that we removed it from the next builds, I sent the link of this PR and I added a short video of the use of the lib.

Once the form was submitted and I had a well deserved coffee, I re-run my pipeline a few minutes later, no errors and my build is available.

I hope this helps, thanks for your participation and may the force be with you, colleagues developers !

[sjransom]

@Herael have Google reviewed an accepted your latest build for release?

I have done all the steps you have outlined but Google continue to decline it for release, this is after I have filled out the declaration form with dummy data and uploaded a completely fresh build without any QUERY_ALL_PACKAGES permissions.

We found that your app is not compliant with how QUERY_ALL_PACKAGES permission is allowed to be used. Permitted uses involve apps with core functionalities that require the discovery of any and all installed apps on the device for awareness or interoperability purposes.

This is seriously frustrating as we have been unable to get a release out for over a week.

[Filippo39]

@Herael is <uses-permission tools:node="remove" android:name="android.permission.QUERY_ALL_PACKAGES" /> redundant? Isn't just the library patch enough? (assuming it is the only library that requires such permission)

[Herael]

@sjransom Google accepted my build yeah without any particular message, just after filling out the form, I submitted a new build and it passed with no fastlane errors.

@Filippo39 Yes, I think so too. This is my only library that requires this permission. I was thinking of removing it from the next release, but being stuck for a while, I wanted to take all the chances

[sjransom]

@Herael thanks, yeah Google accept my build via Fastlane but after I push the build to review so that I can release it still gets rejected even though there is no QUERY_ALL_PACKAGES permission in the app bundle explorer.

[brianlenz]

@Herael is <uses-permission tools:node="remove" android:name="android.permission.QUERY_ALL_PACKAGES" /> redundant? Isn't just the library patch enough? (assuming it is the only library that requires such permission)

I can confirm it's redundant and unnecessary. Simply patching the package is sufficient. We were able to deploy our build and now the Google Play Console reports that we don't have any builds with QUERY_ALL_PACKAGES 🎉

[RayHughes]

We found that your app is not compliant with how QUERY_ALL_PACKAGES permission is allowed to be used. Permitted uses involve apps with core functionalities that require the discovery of any and all installed apps on the device for awareness or interoperability purposes.

This is seriously frustrating as we have been unable to get a release out for over a week.

Try replacing each release track build with the newest version. I saw others comment elsewhere about that being the issue preventing them.

I just submitted our latest build after replacing all other release track builds. Will report back.

[jdnichollsc]

Hey folks, please help me reviewing this PR for the new Release 3.7.0 #375

[jdnichollsc]

Sorry for the delay folks 😥