search

microsoft / appcenter-sdk-android

Development repository for the App Center SDK for Android
Other
277 stars 134 forks source link

Intent Redirection vulnerability - Google Play security error #1614

Closed corneliu-serediuc closed 2 years ago

corneliu-serediuc commented 2 years ago

Intent Redirection

Error / Security

Your app contains an Intent Redirection vulnerability. Please see this Google Help Center article for details.

com.microsoft.appcenter.distribute.AppCenterPackageInstallerReceiver.onReceive sv:deadline:05/01/2022

DmitriyKirakosyan commented 2 years ago

Hi @corneliu-serediuc , thank you for reaching out to us!

From your message I can conclude that you published the app with the distribute module, which you should not do. We have a separate module called distribute-play with stubbed API that should be used for Google Play builds. See Prepare your Google Play build.

corneliu-serediuc commented 2 years ago

Hi @DmitriyKirakosyan,

Thank you for the reply. I have already prepared the build as instructed. I am using Xamarin and this is what I have included in my .csproj file:

<ItemGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
    <PackageReference Include="Microsoft.AppCenter.Distribute" Version="4.5.0" />
</ItemGroup>
<ItemGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
    <PackageReference Include="Microsoft.AppCenter.DistributePlay" Version="4.5.0" />
</ItemGroup>

What am I still missing?

aleksandr-dorofeev commented 2 years ago

Hi @corneliu-serediuc! I'm not quite sure if the configuration you suggested is correct. Because, such a configuration does not protect against getting our packages to GooglePlay. Please see the documentation. Also I suggest you check the contents of the bin/release or /debug directory after building the application. It is located at the root of your project. If you find dll files with bindings, then this means that the configuration was incorrect.

DmitriyKirakosyan commented 2 years ago

Hi @corneliu-serediuc , does the problem still persist for you? Just a small correction to the answer above, you need to check if Distribute.Android.Bindings.dll is present in the folder you configure for the google play distribution (in your snippet it is "Release") and if it is there, you do something wrong. Also, I would recommend creating a separate configuration like "GooglePlay", as "Release" is also likely used for distribution via AppCenter portal.

I'm closing the issue but let me know if it has not been resolved for you.