Lib uses prohibited QUERY_ALL_PACKAGES permission

Question

Lib uses prohibited QUERY_ALL_PACKAGES permission

Closed this issue a year ago · 5 comments

Hi,

I found out that lib uses QUERY_ALL_PACKAGES for some kind of check, but Google doesn't allow to publish regular apps with this permission: https://support.google.com/googleplay/android-developer/answer/10158779?hl=en

For now, I excluded permission from our app's manifest, but I found some check that lib tries to perform here. As I understood, without this permission the only biometric type that would work is Fingerprint.
So here I have question, does this check really matters? Why it is important to check is there specific app? Can we avoid this check?

FYI I am ready to work on this problem, but first I need more information about this solution.

Answer 1 · 2023-10-18T14:51:27.000Z

Should be fixed.
Some false positive detection can happen for isHardwarePresence - I'll check on available devices

Answer 2 · 2023-10-18T15:12:09.000Z

The reason for QUERY_ALL_PACKAGES and pm.getInstalledPackages() - some devices return TRUE when called pm.getSystemFeature($biometricType).
The problem is that such devices really have, for example, a face unlock feature, but it is implemented via some 3rd-party OEM solution with Service implementation (OnePlus, Vivo, Xiaomi, etc)

Answer 3 · 2023-10-18T15:34:36.000Z

some devices return TRUE when called pm.getSystemFeature($biometricType).

I'm not sure that I got the point.

Does it mean that even if they return true, in fact, this specific biometricType could be unsupported on some devices?
And to confirm, you are trying to check if there is an specific package for handling this type?

Answer 4 · 2023-10-18T15:52:09.000Z

some devices return TRUE when called pm.getSystemFeature($biometricType).

I'm not sure that I got the point.

Does it mean that even if they return true, in fact, this specific biometricType could be unsupported on some devices? And to confirm, you are trying to check if there is a specific package for handling this type?

Yep, you understand correctly: hardware checks on some devices may produce false positive detection.
Biometric auth may work for system apps (lock screen, some app lock tools, etc)
But this lib (and in general, all 3rd party apps) do not have access to implementation. To avoid/minimize false positive results, filtering by package/service name was implemented.
But also, some other code changes were added, so maybe the service name check can be safely removed.
I'll test on my devices where false detection happens, hope the current impl without QUERY_ALL_PACKAGES will be Ok

Answer 5 · 2023-10-23T14:09:05.000Z

QUERY_ALL_PACKAGES permission and relevant code were removed, I didn't find any side-effect for now.
Ticket will be closed