Intent Redirection Vulnerability

[preteambuy]

Please provide all the information requested. Issues that do not follow this format are likely to stall.

Description

Getting the below error after submitting the app to the android app store & after upgrading to flutter 3.7.0.

Intent Redirection Your app(s) are vulnerable to Intent Redirection.

To address this issue, follow the steps in this Google Help Center article.

com.razorpay.b_J.onReceive

Flutter Version :

Flutter 3.7.0 • channel stable • https://github.com/flutter/flutter.git Framework • revision b06b8b2710 (4 days ago) • 2023-01-23 16:55:55 -0800 Engine • revision b24591ed32 Tools • Dart 2.19.0 • DevTools 2.20.1

Xcode Version :

Open Xcode > Go to About Xcode > copy the Xcode version here. 14.2

Cocoapod Version :

Go to iOS folder > open podfile.lock > copy the razorpay-pod version and razorpay_fluttera version. razorpay-pod (1.3.0) razorpay_flutter (1.1.10)

Steps To Reproduce

Provide a detailed list of steps that reproduce the issue.

1. Upgraded flutter to the above version 3.7.0
2. After uploading to android store got the above error message.

Expected Results

Describe what you expected to happen. Fix the vulnerability

Snack, code example, screenshot, or link to a repository:

Please provide a link to a repository on GitHub, or provide a minimal code example that reproduces the problem. You may provide a screenshot of the application if you think it is relevant to your bug report. Here are some tips for providing a minimal example: https://stackoverflow.com/help/mcve

[sagarmahobia]

Same Issue.

[sagarmahobia]

Found any solution?

[nikb7]

Yes, we also got the same warning mail for our app. We are getting this on flutter 3.3.10. Doesn't look related to flutter 3.7.0

[ashwinterminator]

Same issue on our app as well.

[vivekshindhe]

Hey folks, we are currently looking into this. The fix will be made live by Monday morning. Will update here once done. Thank you for your patience.

[tusharbhambere]

Same Issue we also facing

[prateek601]

Any updates here? We are also facing same issue.

[Lokendra16]

I got the mail from google play store after uploading app "Intent redirection vulnerability", If any one of you got the solution please share so.

[vivekshindhe]

Hey folks, apologies for the delay on this. A new version has been pushed to maven for android SDK. Please ensure the older version isn't cached and reinstall again. When uploading to play store please ensure that the version which was throwing this error from google is out of the track so this issue doesn't crop up again. Thank you for your support.

Will keep this thread open in case any of you weren't able to resolve this issue with Google.

[preteambuy]

@vivekshindhe should we do flutter clean n do an android build?

[vivekshindhe]

@preteambuy for flutter just sync it once with gradle. And in external libraries cross verify the version of com.razorpay.checkout to be 1.6.28.

[agrvaibhav]

@vivekshindhe Please point to the native android SDK fix.

[Jigar-zest]

How can we make this change? Do you want us to add com.razorpay.checkout:1.6.28. external library to gradle file or something else? I have checked there is no new version available for this on a pub.dev.

[vivekshindhe]

Right, if you open android studio, you should see it in the External Libraries drop-down in the Project pane on the left side. Honestly, I don't think you'll need to worry about it. Syncing it with gradle should update it to the latest version automatically

[Jigar-zest]

you mean just add com.razorpay.checkout:1.6.28 and gradle will do the rest of the work Right?

[vivekshindhe]

@Jigar-zest Not necessarily. Since the flutter package adds it internally

[Tranminator]

@Jigar-zest Not necessarily. Since the flutter package adds it internally

@vivekshindhe I'm using RazorPay version 1.3.4 on pub.dev so it's will be auto add com.razorpay.checkout:1.6.28 or I must wait newer version on pub.dev?

[vivekshindhe]

@Tranminator it will automatically add it

[ashwinterminator]

Here's what I did -

dart pub cache clean Sync Project with Grade Files To be doubly sure, I also did - ./gradlew --refresh-dependencies from terminal inside the android folder of my Flutter project The external libraries version on Android Studio did say 1.6.28 I uploaded it to the Play Store but still got the intent redirection vulnerability warning.

Anyone else who managed to fix this issue?

[agrvaibhav]

@vivekshindhe We did a clean build through Jenkins yesterday evening and uploaded it to the play store and got the warning immediately after uploading from the play store. There is something amiss here. Would you be able to confirm if the com.razorpay.checkout:1.6.28 indeed fixes the issue.

I can also see, this issue was fixed long time back as per below release notes, so why are we still on it?

[vivekshindhe]

Yes @agrvaibhav it does fixes the issue. The issue is with the broadcast receiver sent by SMS_RETREIVER_API which leads to vulnerability. The above was a different one. While the above issue is related to the android code is flutter, the issue you are currently facing on Play Console relates to the android SDK which has been updated.

[vinayak-idc]

hi everyone, i have tried updating the version to 1.3.4 and made sure the Gradle version says 1.6.28. but i haves still received this issue stating Your app(s) are vulnerable to Intent Redirection.

To address this issue, follow the steps in this Google Help Center article.

com.razorpay.x2.onReceive

please check.

[vinayak-idc]

hi @joeydash are you asking to update flutter version to 3.7.0 ?

[jerrypaulsam]

Has anyone got a fix? I just received the same warning from google play now!

[vivekshindhe]

Hey guys, apologies for the delay. Had to combine two of the remedies together for it to work. Please reinstall the razorpay package and try uploading. I'm gonna attach a screenshot of the working sample as well.

That said, we apologize for this issue. We'll see why it happened and how we can ensure this doesn't happen again.

[preteambuy]

i was able to successfully submit to android without the issue.

Run

flutter clean flutter pub cache clean

[ashwinterminator]

This appears to be solved.

1. Synced gradle on Android Studio
2. dart pub cache clean
3. flutter clean
4. Ran the build
5. Uploaded to Play Store
6. No warning email after about 12 hours.

Thank you, @vivekshindhe! :)

[ibhavikmakwana]

This appears to be solved.

1. Synced gradle on Android Studio

2. dart pub cache clean

3. flutter clean

4. Ran the build

5. Uploaded to Play Store

6. No warning email after about 12 hours.

Thank you, @vivekshindhe! :)

We have followed all these steps for our app but it is still giving us the same error.

[vivekshindhe]

@ibhavikmakwana Hey, please make sure to deactivate the bundle whose version was throwing this error. Also, please ensure that the com.razorpay:checkout:1.6.29 is installed. You can check this in Android Studio on the left ExternalLibraries.

[ashwinterminator]

@ibhavikmakwana Hey, do make sure to deactivate the bundle who's version was throwing this error.

@vivekshindhe - can you provide a consolidated list of steps to resolve this issue? The instructions are spread out across multiple messages right now. For instance, I did not do this deactivation that you're referring to.

[vivekshindhe]

@ashwinterminator To be fair, it's a bit muddled for me as well. While in the app I tried to pushed to playstore, I did not have to do this. Seeing this is being resolved for other people, it would be best to reach out to google as well to know exactly what works for you.

[jerrypaulsam]

I did everything mentioned above, but still getting the same email from Google. Isn't there a proper approach to this particular issue? This is the 3rd attempt in 24 hours.

[vivekshindhe]

@jerrypaulsam In the retained bundles, if you see a version that gets affected by this, that can also cause this error to pop up. Please ensure to remove it from the retained bundle list. I'd also suggest talking with google directly regarding this because this did not happen in the app I pushed.

[preteambuy]

@jerrypaulsam is it the same exact error as before?

[psyirius]

Same error over and over again after 3 uploads. Tried all the above steps. Got any quick remedy to resolve this?

Edit: Tried it in a VM with fresh dev env. worked. Think there's still some leftover cache of old versions on your machine.

[jerrypaulsam]

This is the same error before and after updating the app.

[jerrypaulsam]

@jerrypaulsam is it the same exact error as before?

Yes it is. We did everything mentioned above multiple times and getting the same error over and over again.

[vivekshindhe]

For the folks who are still facing the issue, please raise a support ticket on the Razorpay Dashboard. Our support team will help you sort out the issue the best we can.

Closing the ticket with this.

[nikb7]

1. dart pub cache clean
2. flutter clean
3. flutter pub get
4. cd android && ./gradlew clean (make sure this is done)
5. flutter pub get

This has fixed the issue for us. Thanks @vivekshindhe @ashwinterminator