We were asked to make changes to our react native app when an updated version was submitted to Google Play Store. The issue highlighted was "Intent Redirection" vulnerability. It was legacy code, but nevertheless, better late than never.
One of the suggested methods in the Google help guide was this:
Option 2: Ensure that the extracted Intent is from a trustworthy source.
You can verify that the originating Activity can be trusted using methods like >getCallingActivity. For example:
// check if the originating Activity is from trusted package
if (getCallingActivity().getPackageName().equals(“known”)) {
Intent intent = getIntent();
// extract the nested Intent
Intent forward = (Intent) intent.getParcelableExtra(“key”);
// redirect the nested Intent
startActivity(forward);
}
On changing code as per this guidance, the build showed an error that getCallingActivity was not a known symbol. The code already uses getCurrentActivity and getApplicationContext.
What would be the best way for us to rectify in our React Native app, this vulnerability in our native Java code?
Will deeply appreciate your quick support here. Thanks!
RazorPay released a new version. Please follow below link for more info.
https://github.com/razorpay/react-native-razorpay/issues/291
We had to upgrade our react-native-share dependency. In the releases it mentions some security patches a little while back. Once we upgraded to 4.x, we stopped receiving emails from google regarding the security vulnerability.
Can you Try Reading this Document ?
https://static.googleusercontent.com/media/www.google.com/en//about/appsecurity/play-rewards/Android_app_vulnerability_classes.pdf
I just received the following email from Google Play
'Hello Google Play Developer,
We detected that your app(s) listed at the end of this email are
invoking the in-app billing service without setting a target package
for the intent. This can enable a malicious package to bypass the Play
store billing system and access items that have not been purchased.
Next Steps
If you are using IabHelper, please start using the latest SDK. If you
are manually invoking the in-app billing service, make sure you are
calling Intent.setPackage(“com.android.vending”) on any intents to
"com.android.vending.billing.InAppBillingService.BIND". Sign in to
your Developer Console and submit the updated version of your app.
Check back after five hours - we’ll show a warning message if the app
hasn’t been updated correctly.'
I am not sure what is the fix for this problem. Can anyone tell where to specify the code? Is it somewhere in Java Class or the Manifest?
I received the same warning a few days ago and was already setting the package for the intent like this:
Intent serviceIntent = new Intent("com.android.vending.billing.InAppBillingService.BIND");
serviceIntent.setPackage("com.android.vending");
bindService(serviceIntent, mServiceConn, Context.BIND_AUTO_CREATE);
The issue has gone away by updating to the latest versions of Google Play Services and targeting Lollipop (5.1) instead of KitKat (4.4)... if you're using any Google Play Apis make sure you update them to the newest versions and hopefully that'll fix it for you too.
We have also received this alert, and checked our apks.
We found that old version of Google-Play-Service.jar seem to use intent for "com.android.vending.billing.InAppBillingService.BIND", witout setting setPackage.
We have also checked the latest Google-Play-Service.jar and this one was fine, so I'd suggest checking your library.
Search your whole code repository for the following code statement.
Intent serviceIntent = new Intent("com.android.vending.billing.InAppBillingService.BIND");
Wherever you have used the above intent, don't forget to add this code below serviceIntent.setPackage("com.android.vending");
There was two occurrences of the above intent in my whole code base, one was in IabHelper java file were if u use the latest in app billing sdk, this statement would be already added, Another occurrence, I used this intent to check if InApp Billing service was available, I have forgot to add the serviceIntent.setPackage("com.android.vending");, once i figured that out and updated my App in developer console, the warning message was removed after few hours.
You must update your IabHelper files with last SDK from:
https://github.com/googlesamples/android-play-billing/tree/master/TrivialDrive/app/src/main/java/com/example/android/trivialdrivesample/util
When you overwrite old files, Eclipse or Android Studio will display errors and you have to fix them, for example add try catch, or add one parameter to queryInventory function.
Remember update package name in new files if you changed it.
EDIT: Also finally I need update google_play_services.jar lib included in my project. After update this notification alert has hidden. I was using an older google play service lib. Now I am using rev 28 version.
The fix will be in your Java. Search your codebase for an Intent with the action "com.android.vending.billing.InAppBillingService.BIND", either passed into the constructor or set via Intent.setAction(). Before calling bindService() with that intent, you must explicitly set the package via Intent.setPackage().
Here is Google's sample code as reference: https://github.com/googlesamples/android-play-billing/blob/master/TrivialDrive/app/src/main/java/com/example/android/trivialdrivesample/util/IabHelper.java#L296
There are three points to solve this problem.
Find com.android.vending.billing.InAppBillingService.BIND in your codes. Let every Intent to this call the method Intent.setPackage(“com.android.vending”).
Update SDK of IabHelper.
Update the Google Play Service library project.
Make sure that these things are done correctly. Every point undone leads to this problem. If the problem still exists, maybe there is something wrong with other jars in your project.
I received the same warning. I was already setting the package when binding the InAppBillingService but I found that I was checking if the InAppBillingService exists like this:
boolean inAppBillingAvailable = !getPackageManager().queryIntentServices(new Intent("com.android.vending.billing.InAppBillingService.BIND"), 0).isEmpty();
Make sure you are also setting the package here:
boolean inAppBillingAvailable = !getPackageManager().queryIntentServices(new Intent("com.android.vending.billing.InAppBillingService.BIND").setPackage("com.android.vending"), 0).isEmpty();
I finally managed to solve this. First I had updated IabHelper, but that did not help. I then noticed that a dependency compile 'com.google.android.gms:play-services:6.1.71' in build.gradle. I changed this to com.google.android.gms:play-services:9.4.0. This was causing many compilation errors. But, then instead of using 9.4.0 version of play-services, I used individual google services of version 9.4.0. In my case it is only com.google.android.gms:play-services-auth:9.4.0 and com.google.android.gms:play-services-drive:9.4.0. This gives only a few compilation errors which I fixed in the code. This then I pushed on google play as alpha, waited 2 days. The warning alert did not popup for the build I uploaded.
Thank you.
Edit: I do not think we need to change IabHelper.java as long as it is setting setPackage("com.android.vending"). I reverted IabHelper.java, and uploaded a build only with 9.4.0 version of play-services-drive and play-services-auth changes. It did not throw warning.
Did not test this solution but you might still try it: replace serviceIntent.setPackage("com.android.vending"); with serviceIntent.setPackage("com.android.vending.billing.InAppBillingService.BIND"); in https://github.com/googlesamples/android-play-billing/blob/master/TrivialDrive/app/src/main/java/com/example/android/trivialdrivesample/util/IabHelper.java#L297 or anywhere you have setPackage thing. Cheers.
UPDATE: Just update Google Play Services lib, worked for me. Cheers.
I had this issue and couldn't afford updating our old pipeline based in eclipse. So I basically decompiled google play service's library, patched the vulnerabilities in eb.java and dx.java, recompiled those two files and put them into the original JAR file. This is explained in my blog.
All the answers are correct. What I did was updates google play services and IAB helper and instead of using IAB helper I sed the method described in google in App purchases tutorial and it fixed the notifications.
I have installed the fabric,integrated jar files and API key.I am always on "https://www.fabric.io/onboard" instead of " https://fabric.io/dashboard".Unable to see the crash report.I have used correct email Id.
Please help,Thanks in advance.
you can see the app here
https://fabric.io/home
and please wait some time to get updated .also double check in your app below line is enabled or not
Fabric.with(this, new Crashlytics());
also check these from the documentation
If you're getting started with Crashlytics for Android,
Make sure our SDK line is after all other 3rd-party SDKs Force a crash
and then relaunch the app. If you're using our
Crashlytics.getInstance().crash() method for testing purposes, make
sure it's not in the onCreate method of your launch Activity
Unable to receive crash reports on my Test flight account even though application gets crashed.
I integrated the SDK in my application. I did following steps -
1. Integrated SDK in code
2. Used proper Application ID
3. Started session using TestFlight.startSession();
4. Called TestFlight.sendCrash(121213, "XXX", "YYY"); method
4. Ended session using TestFlight.endSession(); in one of my destroy() method.
Let me know if I am doing anything wrong or missing anything.
Thanks in advance, your answers will be much appropriated.
Crash sessions should be sent back to TestFlight automatically. There is no need to specify startSession, sendCrash, and endSession. Please contact TestFlight support here (http://help.testflightapp.com/customer/portal/emails/new) so we can further investigate. Please include the URL to the build's permissions page in the email.
Thanks,
Justin (TestFlight Support)
I'm close to finish my first app so I change its name and the corresponding packages. To do so, I used the Android Tools from Eclipse and everything works after one or two attemps (there where a couple of things that I had to change manually), but in general, following the comments from this response, there were not further problems. Except for the Google Maps. Now they are not being displayed anymore and I'm getting the following error:
Google Maps Android API(12251): Failed to load map. Error contacting Google servers. This is probably an authentication issue (but could be due to network errors).
I know that there is no connection problem because I'm getting other kind of info from the internet and because the following sentence is true:
int availabilityCode = GooglePlayServicesUtil.isGooglePlayServicesAvailable(getApplicationContext());
if(availabilityCode == ConnectionResult.SUCCESS){
The first thing that I did was to go to the Google API and change the package name in the place where you generate the key to make it match the new one. That didn't work, so I deleted the key and created a new one. I pasted the new API key in the Android Manifest but it is not working. Any clues? I'm missing any steps?
In the manifest I still have the needed permissions set, like
<permission
android:name="com.alvarosantisteban.pathos.permission.MAPS_RECEIVE"
android:protectionLevel="signature" />
etc.
I think it was a combination of the three things commented here:
That the api key was not valid anymore (but when I posted the question, I already had that done, as I mentioned on it)
But specially that I had to clean the data. I actually deleted the app, because, thanks to the help of android_hungry I went to check my apps and saw that my app appeared two times, one with the maps workings and the other one, the one that is on my desktop as a shortcut, not.
Additionally, it might have happened what silver_man mentioned, I'm not sure.
Thanks to all for the help. :)
You have to create a new api key, as the fingerprint is made from your package name. https://developers.google.com/maps/documentation/android/start?hl=es#obtaining_an_api_key