Google Play has rejected the app because of vulnerability issue

[asimolmez]

Your app contains an Intent Redirection vulnerability. Please see this Google Help Center article for details. Vulnerable classes: io.intercom.android.sdk.utilities.IntentUtils.safelyOpenIntent

I use react-native@0.62.2, react-native-intercom@17.0.0, and the package contains a vulnerable class so Google Play does not approve it. The intercom support team says that you should fix this error on the react-native module side. https://forum.intercom.com/s/question/0D52G00004YGl0tSAD/why-did-i-get-a-security-alert-from-the-google-play-console-when-uploading-a-recent-app-build

Can you help us with it, please?

[twiking]

@asimolmez We got the same issue and it seems that it was connected to some old configuration in AndroidManifest.xml. No configuration in AndroidManifest.xml is needed anymore according to the Installation Guide.

[asimolmez]

Thanks @twiking 🎉

[andiradulescu]

@twiking for anyone else reaching this page, I'm linking what exactly was removed from AndroidManifest.xml from the old README and needs to be removed.

            <service        
               android:name="com.robinpowered.react.Intercom.IntercomIntentService"     
               android:exported="false">        
               <intent-filter       
                 android:priority="999">        
                   <action android:name="com.google.android.c2dm.intent.RECEIVE"/>      
               </intent-filter>     
             </service>     
             <receiver      
               android:name="io.intercom.android.sdk.push.IntercomPushBroadcastReceiver"        
               tools:replace="android:exported"     
               android:exported="true" />

[flochtililoch]

No configuration in AndroidManifest.xml is needed anymore according to the Installation Guide

It seems the documentation still suggests adding configuration to AndroidManifest.xml. My guess is removing this configuration will prevent Intercom related push notifications from working.

Can anyone confirm they've successfully re-submitted their app to the Play Store with the current configuration recommendations (including the service + intent filter section of AndroidManifest.xml) ?

[BrantApps]

@flochtililoch - @jim-at-jibba & I have this rejection reason too and are about to submit following the README line for line so we'll let you know.

[tomhicks]

@BrantApps 👋

Looking into this myself! How did you get on?

[BrantApps]

Literally....just now we found out that our release with this package at 17.0.0 has been approved.

Advice would be to completely redo the intergration so nothing is missed.

The rejections we saw were numerous with this library being one of the problems when at version 13.x

[abdullahizzuddiin]

@BrantApps So, your app that has been approved is using rn-intercom vers 17.0.0 without any tweak?

I means, you just followed the instructions on README?

[BrantApps]

@BrantApps So, your app that has been approved is using rn-intercom vers 17.0.0 without any tweak?

I means, you just followed the instructions on README?

Yes. Although if you still see rejections for the same reason Google won't tell you at any point which library is to blame. We had to file an appeal for them to actually tell us what they found that was in violation. Our rejections reasons were numerous so keep filing appeals after each build to get more info.

Unbelievably terrible experience from Google Play

[TechSupportPlugnotes]

Hello, my english was poor. I use rn-intercom vers 16.0.0 and i have the same issue, so What is the solution ? Thanks :)

[jim-at-jibba]

@TechSupportPlugnotes You need to make sure you have updated the apks for all the tracks and roll out to 100% straight away.

These were the instructions sent from someone at Google. I think making sure the new releases are set to 100% rollout is key.

Action required: Submit your updated APK

To submit an updated APK:

1. Review the checklist to prepare your APK.
2. Sign in to your Play Console.
3. Select the app with the policy violation.
4. On the left menu, select Release management > App releases.
5. Next to the release type you want to create, select Manage.
6. To create a new release, select Create release.
7. Follow the on-screen instructions to upload the modified, policy compliant APK across all tracks, and deactivate the non-compliant APK(s).
   • To deactivate a non-compliant APK, please upload a compliant APK to the same track.
   • Be sure to increment the APK version number and set the release to 100% rollout, in order to successfully override and deactivate the non-compliant APK.
8. Submit your app

Hope this helps

[TechSupportPlugnotes]

@TechSupportPlugnotes You need to make sure you have updated the apks for all the tracks and roll out to 100% straight away.

These were the instructions sent from someone at Google. I think making sure the new releases are set to 100% rollout is key.

Action required: Submit your updated APK

To submit an updated APK:

1. Review the checklist to prepare your APK.
2. Sign in to your Play Console.
3. Select the app with the policy violation.
4. On the left menu, select Release management > App releases.
5. Next to the release type you want to create, select Manage.
6. To create a new release, select Create release.

7. Follow the on-screen instructions to upload the modified, policy compliant APK across all tracks, and deactivate the non-compliant APK(s).

   • To deactivate a non-compliant APK, please upload a compliant APK to the same track.
   • Be sure to increment the APK version number and set the release to 100% rollout, in order to successfully override and deactivate the non-compliant APK.
8. Submit your app

Hope this helps

Hello for this information, i'm speaking about how to resolve the issue, at the moment i remove MainMessagingClass, because i see that didn't use FCM before, the last developper add all infos from readme and the push notification work fine without, so i would like juste know how to are sure that this modification resolve problem.

[jim-at-jibba]

Just update the package and follow the readme. The fix is at a package level and nothing that you need to do except update

[TechSupportPlugnotes]

ha bad news i can't update i use reract-native 0.59.10 and it's not possible at the moment to change version , so i'm block to version 16

[jim-at-jibba]

I am not sure what to suggest. Fork this package and rtry to update or remove this package and use an alternative. Not sure what will be more work. Sorry

[danielmark0116]

I can confirm that updating the package and the setup helped in my case (we now run on 20.0.0 and use the existing fcm push messaging)

To sum up:

1. Version bump of the package to 20.0.0
2. Updating the setup (changing a few dependencies + updating AndroiManifest.xml - removing Receiver tag and changing Service tag to exactly how it is in the lib documentation)