Zoom SDK Vulnerability issue in Android

Question

Ever since we have integrated Zoom SDK, Google has started sending vulnerability warning mails; if not fixed they will take the app down. As per the Zoom blog article on Zoom Rolling Out End-to-End Encryption Offering, they have worked on security related issues and it seems they have fixed them. So we updated Zoom SDK in our app with latest version which has all these security fixes. The version We are using in our app is "zoom-sdk-android-5.4.3.613". After submitting app, we again received warning mail from Google. Now this is really frustrating. Can somebody help?

Update:

So I raised a ticket at Zoom Support and they closed it as "Solved" immediately. Link to the ticket: https://support.zoom.us/hc/en-us/requests/9837191

Answer 1

So we finally were able to narrow down the root cause. The issue we were getting from Google Play was "Intent Redirection Violation". I'll list down what all things we did to fix the issue:

1. Definitely updating Zoom SDK was needed which we had done already.

2. As per Google suggestion, we checked if any intent redirection was untrusted. To do so, we can put this piece of code inside onCreate() of an Activity:

   // check if the originating Activity is from trusted package
   if (getCallingActivity().getPackageName().equals("known")) {
     Intent intent = getIntent();
     // extract the nested Intent
     Intent forward = (Intent) intent.getParcelableExtra("key");
     // redirect the nested Intent
     startActivity(forward);
   }
   

3. We were using SMS Verification APIs and protecting a broadcast receiver with the SEND_PERMISSION will ensure that an Intent comes from Play Services. In our case this SEND_PERMISSION was not set.