Android Intent Redirection Vulnerability

Summary

Version 7.3.1
Affected OS android

Current behavior

When we added react-native-device-info and used some functions like getVersion(), after releasing a version on google play, we received an email (from google play console) that says about Intent Redirection Vulnerability . You can find more info about the issue at this link

Expected behavior

Clearing error and warning alert on google play console

Suggestion resolve

According to the above Google Help link, ensuring that the extracted Intent is from a trustworthy source can resolve the problem.

// check if the originating Activity is from trusted package
 if (getCallingActivity().getPackageName().equals(“known”)) {
   Intent intent = getIntent();
   // extract the nested Intent
   Intent forward = (Intent) intent.getParcelableExtra(“key”);
   // redirect the nested Intent
   startActivity(forward);
 }

1 possible answer(s) on “Android Intent Redirection Vulnerability

  1. I’m having the same issue.

    using this command in my node-modules directory: grep -rwl 'android:exported="true"' ./ I have 2 potential culprits, either this package or react-native-firebase/messaging

    But we did just upgrade from 5.6.5 to 7.2.1, so I’m guessing that this library is the issue. I’ll downgrade and report back if that fixes it.