Your app contains an Intent Redirection vulnerability - android-security

I launched a game to the Google Play store recently and it was going good until now. I just received an email from Google that says that "One or more of your apps contains an Intent Redirection vulnerability that puts user data at risk " and tells me I need to fix it by August 13.
I personally don't collect or demand any user data or info. However, I used Google Admob ads with Facebook mediation and Unity ads in my game which may be the cause of this problem. So, my question is how to overcome this problem? They also said in the email to make changes in the manifest file. If any one has a similar problem and knows the solution for it, your help would be appreciated.
Here is the email:
"One or more of your apps contains an Intent Redirection vulnerability that puts user data at risk. On August 13, 2019, any apps that contain unfixed security vulnerabilities beyond the dates listed on your Play Console alerts will be removed from Google Play.
Action required
Sign in to your Play Console.
Select Alerts to see which apps contain a security vulnerability, and review the guidance on how to resolve the vulnerability.
Update your affected apps to fix the vulnerabilities.
Submit the updated versions of your affected apps.
Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully then no further action is required. If the app fails review then the new app version will not be published and you will receive notification via email."

I was having the same issue "intent redirection your app(s) are vulnerable to intent redirection" and I added exported="false" in every activity, but still got rejected, then I realized the problem was in one of the payment libraries I was using, all I had to do is update the library and the new app update got live.
my issue was in RazorPay payment gateway, I updated it from 1.6.3 to 1.6.6 (latest)
implementation 'com.razorpay:checkout:1.6.6'
they already mentioned this issue here, check it out https://github.com/razorpay/razorpay-android-sample-app/issues/202

I have a same issue, actually Latest Unity Add Xiaomi SDK by default which cause this issue.
Simple remove Xiaomi from your Unity it will fix the issue.

We had received a similar email, In the Play Console/Alert tab, we found this
for us, the reason is "com.androidnative.features.social.common.SocialProxyActivity.StartActivity"
which come from Android Native asset[Ultimate Mobile] - Unity3D.
We used that asset for Advertisements, In-app purchase and play game services instead of using the original SDK. So the possible solution is to remove that asset from our game and use the original SDK.

Here is the Screenshot of my alert.

There are several points to keep in mind to resolve that issue:
The most confusing: you must rollout affected application fixed APK/AAB to 100% on all tracks where it had place to be. Important note is that among others you must rollout production track release to 100% in order to Google to reconstruct your issue.
In the new version of Play Console there is no way to find out any specific information about the issue so you should email Google Support to ask for details. As a respone you may possibly get obfuscated method or class signature, so you need to deobfuscate it.
Read carefully through official document to address issues and resolve them. Our application got rejected because SMS BroadcastReceiver did not apply any permission restraints.

Ihsan Ali
The problem is in the UnityChannel.aar file, you need to open it with the help of the archiver and open the AndroidManifest.XML. I in the line android:exported="true" wrote a false as indicated in the article in Google. Now publish the version and if the error will no longer be reported.

I had the same issue. Just remove xiaomi app game centre from your unity>>game build option. Disabling it will surely clear out the issue.

Related

Allowing my team members to sign in with Google - Flutter - Firebase

I added an option to sign in with Google but, to my understanding, it only works for me because my SHA-1 signature is in the Firebase settings page so it'll only work for me but not for them.
We're a team of 10 people and I don't want everyone to start adding their own signatures if possible.
Is it at all possible to make this happen in debug mode? We're not in release yet.
P.S if I'm wrong about the reason and it should work fine with only my SHA-1 fingerprint, what is the issue?
I'm not sure if it's different if we deploy the app on play store, but if you've not deployed yet and just downloaded the apk from Android Studio / VS Code then anyone with a valid Gmail account can sign In.
I've also developed google sign in for my app and people are able to login.
Can you share the setup and code it can help us to narrow down the issue.

How can I delete/unwatch version in crashlytics?

I'm trying to delete version from my crashlytics tab as they are not necessary.
I've already seen this post which exactly what I need but for Firebase, this new app isn't on Fabrics as they'll migrate to Firebase in a month or so.
I haven't been able to find the same functionality as in Fabrics. If anyone knows that would be really helpful.
As of today, after reaching to Firebase support, I got this answer:
We have received similar requests to add support for enabling and disabling the monitoring of a specific version of your app. I've raised your request to our engineering team, and this will be evaluated for consideration. However, I cannot guarantee when this feature will be officially rolled out.
For now, you may keep an eye out on our Firebase blog or release notes for any latest news or new features that we may have. We appreciate that you have expressed your feedback as this makes Firebase a better place for everyone.

Google One-tap project status

Does anyone know what is the status of Google One-tap AKA YOLO project?
It seems like all the official documentation on One-tap is gone. The cached version states:
The beta test program for this API is currently closed. We are improving the API's cross-browser functionality and will provide updates here in the coming months.
There are quite some websites which are still using this technology, either because they were in Beta and/or whitelisted by Google.
There is a new version that addresses the feedback and issues from the beta, it's available as of 2020 Q1: https://developers.google.com/identity/one-tap/web
All of the prior URLs regarding one tap are all 404 errors now. Seems like it was totally canned and they are deferring to the more generic sign in integration from a website login page.
The offical document of the project has been updated. Please see the latest status there.
this time stuff gonna be the opposite > 2. Headings:
reword//06{GUIDEDLATEVIEW||2022 blank

How to fix Google Maps API RefererDeniedMapError

I am working on a web app that includes a map using the Google Maps Javascript API. It works on our development server, but whenever trying to access it on stage or production using our company domain, I get an RefererDeniedMapError.
The docs at https://developers.google.com/maps/documentation/javascript/error-messages#referer-denied-map-error clearly state that this error means Google has blocked our domain for violating ToS. An appeal was submitted but Google claims the domain is not blocked and to see further help here. I've already turned off all API restrictions and removed all referrer restrictions as well, but are still getting the same problems.
I can access the app by going directly to the web app server, but anytime I go through our company's domain name, the error returns, which leads me to believe that we are in fact blocked.
Has anyone experienced an issue like this or know of a workaround for this? I've looked through the related posts on the topic but have not found anything useful info to help resolve the problem.
Edit:
The website is using sensors to track packages in the mail for our customers and alerts them if the sensor gets too much light, is dropped, etc. There are no restriction methods at all. I've added a couple screenshots showing the maps working on development but not during testing.
Map working in development
Map not working on test server
At first look, it just seems to be a normal restriction error, however, since you've said that there are currently no restrictions applied in your API key and is working properly in server-side but not in production, this seems to be an issue with your API key, can you try to generate a new API key and use it in your website? If the issue still persist, then this will require a technical support from Google Maps Platform as this may be an issue in the GCP Console. You may file a support case via https://console.cloud.google.com/google/maps-apis/support in order to open personalized communication channel.

The app metadata promotes another mobile platform

I have updated my app and published the update to Windows App store but during certification it fails by giving below reasons
App Policies: 10.1 Inaccurate Representation Your app and its
associated metadata must accurately and clearly reflect the source,
functionality, and features of your app. All aspects of your app
should accurately describe the functions, features and any important
limitations of your app. Your app may not use a name or icon similar
to that of other apps. Your app may not claim to be to be from a
company, government body, or other entity if you do not have
permission to make that representation. Keywords may not exceed seven
unique terms and should be relevant to your app. Your app must be
fully functional. Locations: Metadata Notes To Developer The app
metadata promotes another mobile platform. For more information see
http://go.microsoft.com/fwlink/?LinkId=615230.
I don't know what happened to this update. Earlier versions were approved without any issue.
If anyone have any clue how to fix it , please please let me know.
Anyway the solution I rebuild and deployed again without any changes and this time it is certified without any issue.
Don't know what Microsoft was looking for.

Resources