Google denied update due Remediation for Implicit PendingIntent Vulnerability

Asked 22/6, 2021 at 17:53 Answered 14/3, 2022 at 9:52

java android google-play huawei-mobile-services huawei-push-notification

When i'm trying to update my app - i got error during review process. Remediation for Implicit PendingIntent Vulnerability - https://support.google.com/faqs/answer/10437428. In my app there is on place, where i'm creating PendingIntent - for Firebase push notifications:

Inside class FCMService extends FirebaseMessagingService

@Override
    public void onMessageReceived(@NotNull RemoteMessage remoteMessage) {
        super.onMessageReceived(remoteMessage);

        Intent intent = new Intent(this, ApplicationActivity.class);
        intent.setAction("com.google.firebase.MESSAGING_EVENT");
        intent.setPackage(getApplicationContext().getPackageName());

        Map<String, String> data = remoteMessage.getData();
        for (Map.Entry<String, String> entry : data.entrySet()) {
            String value = entry.getValue();
            String key = entry.getKey();
            if (key.equals(ApplicationActivity.LINK_URL) ||
                    key.equals(ApplicationActivity.FLOCKTORY_LINK_URL)) {
                intent.putExtra(ApplicationActivity.FLOCKTORY_LINK_URL, value);
                if (remoteMessage.getNotification() != null && remoteMessage.getNotification().getTitle() != null) {
                    intent.putExtra(ApplicationActivity.HMS_PUSH_TITLE, remoteMessage.getNotification().getTitle());
                }
            }
        }

        PendingIntent pendingIntent = PendingIntent.getActivity(this, 0, intent, PendingIntent.FLAG_IMMUTABLE);

        RemoteMessage.Notification notification = remoteMessage.getNotification();
        NotificationCompat.Builder builder = new NotificationCompat.Builder(this, getString(R.string.channel_id))
                .setSmallIcon(R.drawable.ic_launcher_notification)
                .setColor(getResources().getColor(R.color.colorNotification))
                .setContentTitle(notification == null ? "" : notification.getTitle())
                .setContentText(notification == null ? "" : notification.getBody())
                .setPriority(NotificationCompat.PRIORITY_DEFAULT)
                .setContentIntent(pendingIntent)
                .setAutoCancel(true);

        NotificationManagerCompat notificationManager = NotificationManagerCompat.from(this);
        notificationManager.notify(new Random(UUID.randomUUID().getLeastSignificantBits()).nextInt(), builder.build());

In Manifest:

<service
            android:name="ru.svyaznoy.shop.domain.FCMService"
            android:exported="false">
            <intent-filter>
                <action android:name="com.google.firebase.MESSAGING_EVENT" />
            </intent-filter>
        </service>

implementation "com.google.firebase:firebase-messaging:22.0.0"

minSdkVersion 24 targetSdkVersion 30

I just cant figure out what's wrong with this code - i pass explicit Intent with all required fields set. My head is blowing - this update is very important. Does anyone had similar issue?

Hedonism answered 22/6, 2021 at 17:53 Comment(2)

Same here. No explanation from google. – Komsomolsk 23/6, 2021 at 11:39

@Amit@dephinera,I have posted my answer below, please kindly refer that. – Fluker 2/7, 2021 at 1:57

Thanks to @kkazakov problem solved. Library com.huawei.hms:push contains unsafe usage of implicit PendingIntents. Google approved update for build without this lib.

For me it's time to create gms and hms build flavors to avoid problems with Huawei in the future.

Hedonism answered 23/6, 2021 at 16:32 Comment(0)

The Intent in your example is an explicit intent with a given action. So this shouldn't be the cause for your update problem.

I am facing the same security problem and I think the cause for this is in a dependency. Because there are only explicit pending intents in my app.

I don't think that google prevents an update because of a vulnerability in their own libraries so I currently looking into the dependencies of the Huawei SDKs. It's just a guess but without any more information from play store guessing is the only thing we can do.

Forswear answered 23/6, 2021 at 9:52 Comment(9)

We have huawei dependencies too - will look into it and share results here. – Emetine 23/6, 2021 at 10:32

Did you guys find anything in the Huawei SDKs? Are they open sourced, or are you examining the class files? I couldn't find a repo – Komsomolsk 23/6, 2021 at 11:54

I'm working on isolating huwaei dependencies for Google Play version right now. I want to exlude those libs from the bundle and try again to update. This will give straight answer. Hope will find out tomorrow. – Emetine 23/6, 2021 at 12:40

We have received detailed response from Google and they state that the com.huawei.hms.push.o.a is the problem, which is Huawei. We're also building now without any Huawei package for Google Play. – Evette 23/6, 2021 at 13:53

That was the problem - Huawei push library. We've sent to Google without that library for now and we got approved. – Evette 23/6, 2021 at 15:31

Same here - thank you very much for help :) – Emetine 23/6, 2021 at 16:28

Thanks for your replies. I've just seen that Huawei has already released an update for the pushkit sdk: 5.3.0.302 (2021-06-26) with a cryptic change log entry: "Forbidden going to the page of another app through a custom intent URL from the current app." Has anybody already tried this version and can confirm that this fixes this issue? – Forswear 24/6, 2021 at 7:40

We contacted Huawei. They know about the problem, but can't tell how much time it take to fix the issue. – Seminole 24/6, 2021 at 11:36

@vyndor,I posted my answer above and this issue has been resolved in Push SDK 5.3.0.304.NOTE: If you have any queries, please feel free to contact us. :D – Fluker 2/7, 2021 at 2:39

Thank you for your feedback. This issue has been resolved in the release of Push SDK 5.3.0.304. It has been tested and verified by developers and can be approved by Google for release.

For details, you can check the Push kit Version Change History description.

Fluker answered 2/7, 2021 at 1:54 Comment(2)

I have updated to ...:push:6.5.0.300 from push:6.1.0.300, do I need to update the target as well? i.e. 31 used in push:6.5.0.300 but my app is using target 30, or i need to downgrade to older SDK 5.3.0.304? – Locative 26/7, 2022 at 4:49

Upgrade the Push SDK is fine. The target does not need to be upgraded. – Fluker 26/7, 2022 at 6:39

Just want to update that our app used Push SDK 5.3.0.304, but still got the warning in the play console's Pre-launch report details. It indicates that PushNotification.java's method with this signature: void a(android.content.Context,android.content.Intent,long,int) produces the issue.

Maybe @shirley could help to check if this method still has the issue. Thanks.

Automaton answered 14/3, 2022 at 9:52 Comment(5)

This does not really answer the question. If you have a different question, you can ask it by clicking Ask Question. To get notified when this question gets new answers, you can follow this question. Once you have enough reputation, you can also add a bounty to draw more attention to this question. - From Review – Retrospection 16/3, 2022 at 2:28

I am having this exact issue, currently checking if the update to PushSDK 6.1.x solves the issue. I'll stick around and update here as soon as I have any news – Ratable 16/3, 2022 at 14:5

I'll link the github issue here, in case you want to take a look further: github.com/HMS-Core/hms-react-native-plugin/issues/177 – Ratable 16/3, 2022 at 15:56

@AbhishekDutt, I was try to use comment at the beginning, but did't have the required reputation. Then I found the method's signature may help to fix the issue, so I still replied the thread. I will try to do better next time. Thanks. – Automaton 16/3, 2022 at 16:39

@sentientmachine, thanks for sharing the official issue tracker. Hope the new version could solve the issue. – Automaton 16/3, 2022 at 16:44

Recommended topics

Hot tags