fluttercommunity / community

Flutter Community - A central place for community made Flutter content.
1.58k stars 121 forks source link

Issue found: Intent Redirection(Play Store App Rejected) #151

Open sagarZodage opened 2 months ago

sagarZodage commented 2 months ago

Issue found: Intent Redirection

We found that your app contains security vulnerabilities, which can expose user information or damage a user’s device. This is a violation of Device and Network Abuse policy. Specifically, your app(s) are vulnerable to Intent Redirection.

Issue details

We found an issue in the following area(s):

Version code: Code Analysis: "zc.b$b.onReceive" To bring your app into compliance, follow these steps:

To address this issue, follow the steps in this Google Help Center article. About the Device and Network Abuse policy We don’t allow code that introduces or exploits security vulnerabilities. Check out the App Security Improvement Program to find out about the most recent security issues flagged to developers.

Action required: Submit an updated app for review Here's what to do to help get your app on Google Play: Make sure to read the applicable policies or requirements listed below: Device and Network Abuse policy Make appropriate changes to your app (if possible), and be sure to address the issue described above. You may also want to check your app's store listing for compliance, if applicable. Additionally follow these steps for APK/App bundle level updates: Deactivate the noncompliant version and upload a compliant version with an incremented version code. In addition to your Production release, if you have other release types that you use for testing and/or quality assurance checks (for example, Internal test, Closed, and/or Open), please make sure to update those tracks as well. Go to App bundle explorer and select the track with the policy issue (Internal / Closed / Open testing / Production). Click Create new release or Edit release If the release with the violating app bundles/APKs are in a draft state, discard the release. Otherwise, add the policy-compliant version of app bundles/APKs. Make sure that the noncompliant version is under the "Not included" section of this release. Enter a release name and click Save. Once saved, click Review release, and then proceed to roll out the release to 100% and completely deactivate the noncompliant APK. If the noncompliant versions are released to multiple tracks, repeat step 2 in each track. Double check that your app is compliant with all other Developer Program Policies.

sdk: '>=3.5.0 <4.0.0'

dependencies: app_links: ^6.3.2 shared_preferences: ^2.2.1 async: ^2.11.0 connectivity_plus: ^6.0.5 better_open_file: ^3.6.5 cached_network_image: ^3.4.1 carousel_slider: ^5.0.0 clevertap_plugin: ^2.4.1 crypto: ^3.0.3 device_preview: ^1.1.0 dio: ^5.3.2 file_picker: ^8.1.2 firebase_auth: ^5.2.1 firebase_core: ^3.4.1 flutter: sdk: flutter flutter_flavorizr: ^2.2.1 flutter_gen: ^5.3.1 flutter_widget_from_html: ^0.15.2 flutter_inappwebview: ^5.8.0 flutter_launcher_icons: ^0.13.1 flutter_localizations: sdk: flutter flutter_pdfview: ^1.3.1 flutter_rating_bar: ^4.0.1 flutter_slidable: ^3.0.1 flutter_svg: ^2.0.7 geocoding: ^3.0.0 geolocator: ^13.0.1 get: ^4.6.6 get_storage: ^2.0.3 gif_view: ^0.4.0 glassmorphism: ^3.0.0 google_fonts: ^6.2.1 google_maps_flutter: ^2.1.12 google_sign_in: ^6.0.0 hive: ^2.2.3 hive_flutter: ^1.1.0 html: ^0.15.4 http: ^1.1.2 launch_app_store: ^1.0.2 lottie: ^3.1.2 map_launcher: ^3.5.0 path_provider: ^2.1.1 pin_code_fields: ^8.0.1 scroll_to_index: ^3.0.1 scrollable_positioned_list: ^0.3.5

share_plus: ^10.0.2

shimmer: ^3.0.0 sign_in_with_apple: ^6.1.2 sizer: ^2.0.15 sliver_tools: ^0.2.12 syncfusion_flutter_calendar: ^27.1.48 syncfusion_flutter_pdfviewer: ^27.1.48 tutorial_coach_mark: ^1.2.9 url_launcher: ^6.1.14 firebase_crashlytics: ^4.1.1 screenshot: ^3.0.0 firebase_analytics: ^11.3.1 home_widget: ^0.7.0 workmanager: ^0.5.2

flutter_local_notifications: ^17.2.2

quick_actions: ^1.0.6

libphonenumber: ^2.0.2

carrier_info: ^2.0.4

flutter_shakemywidget: ^1.0.5+1 app_version_update: ^5.0.3 releasenotes: ^1.0.5 sms_user_consent_manager: ^1.1.2 firebase_database: ^11.1.2 local_auth: ^2.2.0 flutter_dynamic_icon: ^2.1.0 dev_dependencies: build_runner: null flutter_gen_runner: null flutter_lints: ^4.0.0 flutter_test: sdk: flutter hive_generator: ^2.0.1 dependency_overrides: win32: ^5.2.0

flutter_icons: android: "launcher_icon" ios: true image_path: "assets/png/at_app_icon.png" min_sdk_android: 21

adityapatil18 commented 2 months ago

I have the same issue in my app if anyone find the solution please let me know.

MuhammadShoaib495 commented 1 month ago
  1. Identify the Issue:

Review your app's code where you handle any deep links or external app interactions. This might include packages like url_launcher,app_links, or similar.

2.Use Explicit Intents:

When using native Android functionality, ensure that you use explicit intents. For instance, if you're launching an activity, make sure you specify the target activity.

3.Update Packages:

Check the packages in your pubspec.yaml. Ensure they are updated to their latest versions, as vulnerabilities may have been fixed in newer releases. You can run:

flutter pub upgrade

  1. Review Plugin Code:

If you're using plugins that interact with intents, look into their documentation and codebase. Ensure that they handle intents securely and are up-to-date.

  1. Implement Security Best Practices:

Ensure you follow best practices for any intents and external interactions. For example: Validate and sanitize data that comes from external sources. Limit the exposure of your app's components by setting android:exported to false for any components that shouldn't be accessible from outside your app.

6.Test for Vulnerabilities:

Consider using tools like Lintor SonarQube for static code analysis to identify potential security vulnerabilities in your Flutter app.

  1. Update Your App:

Once you've made the necessary changes, increment the version number in your pubspec.yaml file and submit the updated app.

Example of Using url_launcher If you're using theurl_launcher package, ensure you’re using it securely:

import 'package:url_launcher/url_launcher.dart';

Future launchUrl(String url) async { if (await canLaunch(url)) { await launch(url, forceSafariVC: false, forceWebView: false); } else { throw 'Could not launch $url'; } }