5

We were asked to make changes to our react native app when an updated version was submitted to Google Play Store. The issue highlighted was "Intent Redirection" vulnerability. It was legacy code, but nevertheless, better late than never.

One of the suggested methods in the Google help guide was this:

Option 2: Ensure that the extracted Intent is from a trustworthy source.

You can verify that the originating Activity can be trusted using methods like >getCallingActivity. For example:

 // check if the originating Activity is from trusted package
 if (getCallingActivity().getPackageName().equals(“known”)) {
   Intent intent = getIntent();
   // extract the nested Intent
   Intent forward = (Intent) intent.getParcelableExtra(“key”);
   // redirect the nested Intent
   startActivity(forward);
 }

On changing code as per this guidance, the build showed an error that getCallingActivity was not a known symbol. The code already uses getCurrentActivity and getApplicationContext.

What would be the best way for us to rectify in our React Native app, this vulnerability in our native Java code?

Will deeply appreciate your quick support here. Thanks!

deetho
  • 73
  • 7

3 Answers3

0

RazorPay released a new version. Please follow below link for more info.

https://github.com/razorpay/react-native-razorpay/issues/291

Dharman
  • 30,962
  • 25
  • 85
  • 135
RameshKumar
  • 164
  • 1
  • 16
0

We had to upgrade our react-native-share dependency. In the releases it mentions some security patches a little while back. Once we upgraded to 4.x, we stopped receiving emails from google regarding the security vulnerability.

Drew André
  • 119
  • 1
  • 8
-1

Can you Try Reading this Document ? https://static.googleusercontent.com/media/www.google.com/en//about/appsecurity/play-rewards/Android_app_vulnerability_classes.pdf

Abubakar Rafi
  • 91
  • 13