When i'm trying to update my app - i got error during review process. Remediation for Implicit PendingIntent Vulnerability - https://support.google.com/faqs/answer/10437428. In my app there is on place, where i'm creating PendingIntent - for Firebase push notifications:
Inside class FCMService extends FirebaseMessagingService
@Override public void onMessageReceived(@NotNull RemoteMessage remoteMessage) { super.onMessageReceived(remoteMessage); Intent intent = new Intent(this, ApplicationActivity.class); intent.setAction("com.google.firebase.MESSAGING_EVENT"); intent.setPackage(getApplicationContext().getPackageName()); Map<String, String> data = remoteMessage.getData(); for (Map.Entry<String, String> entry : data.entrySet()) { String value = entry.getValue(); String key = entry.getKey(); if (key.equals(ApplicationActivity.LINK_URL) || key.equals(ApplicationActivity.FLOCKTORY_LINK_URL)) { intent.putExtra(ApplicationActivity.FLOCKTORY_LINK_URL, value); if (remoteMessage.getNotification() != null && remoteMessage.getNotification().getTitle() != null) { intent.putExtra(ApplicationActivity.HMS_PUSH_TITLE, remoteMessage.getNotification().getTitle()); } } } PendingIntent pendingIntent = PendingIntent.getActivity(this, 0, intent, PendingIntent.FLAG_IMMUTABLE); RemoteMessage.Notification notification = remoteMessage.getNotification(); NotificationCompat.Builder builder = new NotificationCompat.Builder(this, getString(R.string.channel_id)) .setSmallIcon(R.drawable.ic_launcher_notification) .setColor(getResources().getColor(R.color.colorNotification)) .setContentTitle(notification == null ? "" : notification.getTitle()) .setContentText(notification == null ? "" : notification.getBody()) .setPriority(NotificationCompat.PRIORITY_DEFAULT) .setContentIntent(pendingIntent) .setAutoCancel(true); NotificationManagerCompat notificationManager = NotificationManagerCompat.from(this); notificationManager.notify(new Random(UUID.randomUUID().getLeastSignificantBits()).nextInt(), builder.build());
In Manifest:
<service android:name="ru.svyaznoy.shop.domain.FCMService" android:exported="false"> <intent-filter> <action android:name="com.google.firebase.MESSAGING_EVENT" /> </intent-filter> </service>
implementation "com.google.firebase:firebase-messaging:22.0.0"
minSdkVersion 24 targetSdkVersion 30
I just cant figure out what's wrong with this code - i pass explicit Intent with all required fields set. My head is blowing - this update is very important. Does anyone had similar issue?
PendingIntents are Intents delegated to another app to be delivered at some future time. Creating an implicit intent wrapped under a PendingIntent is a security vulnerability that might lead to denial-of-service, private data theft, and privilege escalation.
A PendingIntent itself is simply a reference to a token maintained by the system describing the original data used to retrieve it. This means that, even if its owning application's process is killed, the PendingIntent itself will remain usable from other processes that have been given it.
Thanks to @kkazakov problem solved. Library com.huawei.hms:push contains unsafe usage of implicit PendingIntents. Google approved update for build without this lib.
For me it's time to create gms and hms build flavors to avoid problems with Huawei in the future.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With