google play rejected the app due to Intent Redirection vulnerability in 2.2.2 and 2.2.5

[satyajeetkrjha]

Google play store has rejected our app update and sent us the reason behind this rejection. " Intent Redirection vulnerability" On further email exchanges, we got to know that is this happening because of Razorpay.

For example, your app contains an Intent Redirection issue which can allow malicious apps to access private app components or files.

com.razorpay.AutoReadOtpHelper.onReceive

This has been happening on "react-native-razorpay": "^2.2.2", . We upgraded the version to "react-native-razorpay": "^2.2.5", cleaned the cache, and cleaned the Gradle, and then tried publishing the app but it still failed . Please help us to resolve this issue.

[vivekshindhe]

@kolaveridi thanks for reaching out to us. We have already solved for this issue. Could you please send your conversation with Google regarding this for more insight?

[satyajeetkrjha]

Thanks for contacting the Google Play team.

Status: Latest app update not available on Google Play

I’ve reviewed your appeal request and found that your app still violates Google Play Policy. If you submitted an update to an existing app, the version published prior to the update is still available on Google Play. I’ve included details below about the specific issue with your app and what you can do to get your app back on Google Play.

Step 1: Fix the policy violation with your app

During review, we found that your app, VITAL: Affordable & Personalized Health Plans (com.getvitalapp) (App Bundle version 3145730), violates the Device and Network Abuse policy:

We don’t allow code that introduces or exploits security vulnerabilities. Check out the App Security Improvement Program to find out about the most recent security issues flagged to developers. You can read through the Device and Network Abuse policy page for more details and examples of common violations.

For example, your app contains an Intent Redirection issue which can allow malicious apps to access private app components or files.

com.razorpay.AutoReadOtpHelper.onReceive You may refer to this Help Center page to fix the vulnerability issue.

Please make appropriate changes to your app, and be sure to address the issues identified above. In addition to your Production release, if you have other release types that you use for testing and/or quality assurance checks (e.g. Internal test, Closed, Open), please make sure to update those tracks as well.

This rejection doesn't impact the standing of your Google Play Developer Account, but repeated violations can result in the suspension of this app or your Google Play Developer account.

Step 2: Submit your updated APK

To submit an updated app bundle or APK:

Prepare your updates. Create a new release using the compliant app bundle or APK. Be sure to create the new release on the same track(s) as the non-compliant app bundle or APK, increment the version number, and set the release to 100% rollout. Follow the on-screen instructions to add APKs or app bundles, then review and roll out your release. Please also note that you will have to set the non-compliant APK referenced above to DEACTIVATED before you make a new submission of the compliant APKs. Please let me know if you have any other questions. Thanks for working with us to fix the policy issue and for your continued support of Google Play.

[satyajeetkrjha]

I installed the react-native Razorpay version 2.2.2 ,2.2.5 but all these versions failed to solve our issue and our app got rejected.

[vivekshindhe]

@kolaveridi we have seen this happen that the version they deemed has the intent redirection issue should be removed from the track of the app. As they've said in their mail. You have deactivate it first and then upload your new app bundle. Could you please try this out? The intent redirection issue did exist but it was resolved for all merchants and platforms. This is the only reason I think you're seeing this even after updating.

[vivekshindhe]

@satyajeetkrjha Closing the issue due to inactivity. Please feel free to comment here to reopen. Thank you.