Google denied update due Remediation for Implicit PendingIntent Vulnerability

Question

When i'm trying to update my app - i got error during review process. Remediation for Implicit PendingIntent Vulnerability - https://support.google.com/faqs/answer/10437428. In my app there is on place, where i'm creating PendingIntent - for Firebase push notifications:

Inside class FCMService extends FirebaseMessagingService

@Override
    public void onMessageReceived(@NotNull RemoteMessage remoteMessage) {
        super.onMessageReceived(remoteMessage);

        Intent intent = new Intent(this, ApplicationActivity.class);
        intent.setAction("com.google.firebase.MESSAGING_EVENT");
        intent.setPackage(getApplicationContext().getPackageName());

        Map<String, String> data = remoteMessage.getData();
        for (Map.Entry<String, String> entry : data.entrySet()) {
            String value = entry.getValue();
            String key = entry.getKey();
            if (key.equals(ApplicationActivity.LINK_URL) ||
                    key.equals(ApplicationActivity.FLOCKTORY_LINK_URL)) {
                intent.putExtra(ApplicationActivity.FLOCKTORY_LINK_URL, value);
                if (remoteMessage.getNotification() != null && remoteMessage.getNotification().getTitle() != null) {
                    intent.putExtra(ApplicationActivity.HMS_PUSH_TITLE, remoteMessage.getNotification().getTitle());
                }
            }
        }

        PendingIntent pendingIntent = PendingIntent.getActivity(this, 0, intent, PendingIntent.FLAG_IMMUTABLE);

        RemoteMessage.Notification notification = remoteMessage.getNotification();
        NotificationCompat.Builder builder = new NotificationCompat.Builder(this, getString(R.string.channel_id))
                .setSmallIcon(R.drawable.ic_launcher_notification)
                .setColor(getResources().getColor(R.color.colorNotification))
                .setContentTitle(notification == null ? "" : notification.getTitle())
                .setContentText(notification == null ? "" : notification.getBody())
                .setPriority(NotificationCompat.PRIORITY_DEFAULT)
                .setContentIntent(pendingIntent)
                .setAutoCancel(true);

        NotificationManagerCompat notificationManager = NotificationManagerCompat.from(this);
        notificationManager.notify(new Random(UUID.randomUUID().getLeastSignificantBits()).nextInt(), builder.build());

In Manifest:

<service
            android:name="ru.svyaznoy.shop.domain.FCMService"
            android:exported="false">
            <intent-filter>
                <action android:name="com.google.firebase.MESSAGING_EVENT" />
            </intent-filter>
        </service>

implementation "com.google.firebase:firebase-messaging:22.0.0"

minSdkVersion 24 targetSdkVersion 30

I just cant figure out what's wrong with this code - i pass explicit Intent with all required fields set. My head is blowing - this update is very important. Does anyone had similar issue?

Answer 1

Thanks to @kkazakov problem solved. Library com.huawei.hms:push contains unsafe usage of implicit PendingIntents. Google approved update for build without this lib.

For me it's time to create gms and hms build flavors to avoid problems with Huawei in the future.

Answer 2

The Intent in your example is an explicit intent with a given action. So this shouldn't be the cause for your update problem.

I am facing the same security problem and I think the cause for this is in a dependency. Because there are only explicit pending intents in my app.

I don't think that google prevents an update because of a vulnerability in their own libraries so I currently looking into the dependencies of the Huawei SDKs. It's just a guess but without any more information from play store guessing is the only thing we can do.

Answer 3

Thank you for your feedback. This issue has been resolved in the release of Push SDK 5.3.0.304. It has been tested and verified by developers and can be approved by Google for release.

For details, you can check the Push kit Version Change History description.

Answer 4

Just want to update that our app used Push SDK 5.3.0.304, but still got the warning in the play console's Pre-launch report details. It indicates that PushNotification.java's method with this signature: void a(android.content.Context,android.content.Intent,long,int) produces the issue.

Maybe @shirley could help to check if this method still has the issue. Thanks.