Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Remediation for Implicit PendingIntent Vulnerability

See original GitHub issue

Hello! We are happily using react-native-push-notification in our app. At our latest update, Google contacted us because a potential vulnerability due to implicit pending-intents within our app. A complete article that describes this security breach can be found here. After searching through our code I found these lines of code, which look similar to the implicit intent pattern described in the article:

// RNPushNotificationHelper.java
Intent notificationIntent = new Intent(context, RNPushNotificationPublisher.class);
...
return PendingIntent.getBroadcast(context, notificationID, notificationIntent, PendingIntent.FLAG_UPDATE_CURRENT);

Has anyone using this package received the same warning from google? Do you think the above method could be related to that? Thanks for your help!

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:4
  • Comments:9

github_iconTop GitHub Comments

1reaction
bjacogcommented, Jul 7, 2021

So I manually patched the version I had been using, it was really old so you might need to adjust for your version. Once I have updated my apps to the latest version of this lib I can make a PR to resolve this if it is still a problem with latest.

The app that passed review is using react-native-push-notification@3.1.9. Here is my patch that passed review:

--- a/node_modules/react-native-push-notification/android/src/main/java/com/dieam/reactnativepushnotification/modules/RNPushNotificationHelper.java
+++ b/node_modules/react-native-push-notification/android/src/main/java/com/dieam/reactnativepushnotification/modules/RNPushNotificationHelper.java
@@ -23,6 +23,7 @@ import androidx.core.app.NotificationCompat;
 import android.util.Log;
 
 import com.facebook.react.bridge.ReadableMap;
+import com.facebook.react.bridge.ReactContext;
 
 import org.json.JSONArray;
 import org.json.JSONException;
@@ -73,6 +74,7 @@ public class RNPushNotificationHelper {
         int notificationID = Integer.parseInt(bundle.getString("id"));
 
         Intent notificationIntent = new Intent(context, RNPushNotificationPublisher.class);
+        notificationIntent.setPackage(context.getPackageName());
         notificationIntent.putExtra(RNPushNotificationPublisher.NOTIFICATION_ID, notificationID);
         notificationIntent.putExtras(bundle);
 
@@ -276,6 +278,7 @@ public class RNPushNotificationHelper {
             notification.setStyle(new NotificationCompat.BigTextStyle().bigText(bigText));
 
             Intent intent = new Intent(context, intentClass);
+            intent.setPackage(context.getPackageName());
             intent.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);
             bundle.putBoolean("userInteraction", true);
             intent.putExtra("notification", bundle);
@@ -359,6 +362,7 @@ public class RNPushNotificationHelper {
                     }
 
                     Intent actionIntent = new Intent(context, intentClass);
+                    actionIntent.setPackage(context.getPackageName());
                     actionIntent.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);
                     actionIntent.setAction(context.getPackageName() + "." + action);
0reactions
aotaduycommented, Apr 5, 2022

Im having this issue even with 8.1.1. Can we create a pull request based on @bjacog changes?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Remediation for Implicit PendingIntent Vulnerability
This information is intended for developers with app(s) that contain the Implicit PendingIntent Vulnerability. What's happening One or more of your apps ...
Read more >
Google denied update due Remediation for Implicit ...
Thanks to @kkazakov problem solved. Library com.huawei.hms:push contains unsafe usage of implicit PendingIntents. Google approved update for ...
Read more >
Android : Google denied update due Remediation for Implicit ...
Android : Google denied update due Remediation for Implicit PendingIntent Vulnerability [ Beautify Your Computer ...
Read more >
Remediation for Implicit PendingIntent Vulnerability
"Your app contains an Implicit PendingIntent vulnerability. Please see this Google Help Center article for details. com.microsoft.appcenter.push ...
Read more >
Implicit PendingIntent vulnerability -- Google's suggested ...
For several releases now, I've been getting a warning on my Google Play Console as follows: Implicit PendingIntent Your app contains an ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

cancelLocalNotifications() does not work on Android

Next page

"popInitialNotification" always return "undefined"