Skip to content
This repository has been archived by the owner on Jun 11, 2021. It is now read-only.

PayPal 2.12.4 aar adds unwanted permission and code #234

Closed
cyrilmottier opened this issue Jan 5, 2016 · 7 comments
Closed

PayPal 2.12.4 aar adds unwanted permission and code #234

cyrilmottier opened this issue Jan 5, 2016 · 7 comments
Labels
sdk-bug

Comments

@cyrilmottier
Copy link

When looking at the dependencies of the library we get:

+--- com.paypal.sdk:paypal-android-sdk:2.12.4
|    +--- com.squareup.okhttp:okhttp:2.5.0 -> 2.7.1
|    |    \--- com.squareup.okio:okio:1.6.0
|    \--- io.card:android-sdk:5.1.2

In other words:

  • OkHttp is not up-to-date (but that's not the issue)
  • Card.IO is always imported which means bundling code that may not be used at all.

This is pretty annoying when we want to have the most light-weight APK possible.

Things gets worse when looking at the AndroidManifest.xml. It includes the CAMERA permission which may not be useful at all if Card.IO .so are stripped. That's also the case for the CardIOActivity and the <uses-feature /> tags.

It's obviously possible to add tools:remove to our AndroidManifest.xml but that's clearly a dirty hack. Hence, the current version of the library is not usable as it and can't be used in production code.

A possible solution would be to have a dedicated Maven artefact like com.paypal.sdk:paypal-android-sdk-no-card-io:2.12.4 that wouldn't include the Card.IO dependency.
@cyrilmottier
Copy link
Author

Another option would be to be able to "exclude" the io.card:android-sdk dependency in the dependencies DSL of build.gradle and make sure the PayPal code runs correctly if Class.forName(<a_card_io_class>) throws

@jaypatel512
Copy link
Contributor

Hey @cyrilmottier !

You are correct. I will go ahead and update the okhttp first. And about the card-io, currently, the only way to exclude card-io is to exclude libraries as shown here: #226 !

However, we are working on getting the dependency from card-io completely, to remove that completely, but this may take some time though. I will keep you update on this.

  • Upgrade okhttp
  • Remove card-io dependency
  • Remove unnecessary permissions

@sankarbhavanib
Copy link
Contributor

Fixed in 2.13.0 release.

@MMahach
Copy link

MMahach commented Oct 6, 2016
edited
Loading

Hello,

Could someone (@jaypatel512) gives an update for this issue? It's marked as "fixed/closed", but what exactly was fixed in 2.13.0? Because as per 2.15.0 release everything (related to card.io) at their places: native libraries cannot be excluded from dependencies via "exclude group", app's manifest contains unwanted permissions and activity.

Thank you in advance!

@braebot
Copy link
Contributor

braebot commented Oct 6, 2016

You can exclude card.io as shown in the readme.

@MMahach
Copy link

MMahach commented Oct 10, 2016
edited
Loading

Hi @braebot,

Thank you for answer, but it doesn't work in my case, I've written so in my comment above. What does work is a method described in #226 (which has been mentioned by @jaypatel512 in this thread), but it not a real good solution because app's manifest still contains unwanted permissions and activity.

Am I the only one who experiencing this problem with version 2.15.0?

@RGSalazar
Copy link

Hello @MMahach,

I'm not experiencing the problem with version 2.15.1 :) It's working on my end with just the exclusion detailed in the readme file.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
sdk-bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@cyrilmottier @jaypatel512 @braebot @sankarbhavanib @RGSalazar @MMahach