Remediation for Implicit PendingIntent Vulnerability

[git-user-1337]

Hello! We are happily using react-native-push-notification in our app. At our latest update, Google contacted us because a potential vulnerability due to implicit pending-intents within our app. A complete article that describes this security breach can be found here. After searching through our code I found these lines of code, which look similar to the implicit intent pattern described in the article:

// RNPushNotificationHelper.java
Intent notificationIntent = new Intent(context, RNPushNotificationPublisher.class);
...
return PendingIntent.getBroadcast(context, notificationID, notificationIntent, PendingIntent.FLAG_UPDATE_CURRENT);

Has anyone using this package received the same warning from google? Do you think the above method could be related to that? Thanks for your help!

[raynormw]

Hi, we also have the same issue. Is there any workaround for solving this issue? or we have to wait the next version release?

Thank you so much.

[DDani]

We are facing the same issue here since a couple of days ago: we can't release new versions of our app due this. If there is not immediate solution, we can perhaps open a PR for this.

[Dallas62]

Hi, I'm not available this month for a fix, a PR is welcome. I may have few hours to release it if you have a PR this month. Or you will have to wait for August. Regards

[mussegam]

Hi,

Would it be enough to change the previous code to something like this? My android knowledge is a bit lacking hehe

Intent notificationIntent = new Intent(context, RNPushNotificationPublisher.class);
notificationIntent.setPackage(packageName);
notificationIntent.setAction(packageName + ".ACTION");

[bjacog]

This might help https://github.com/react-native-share/react-native-share/issues/1043 and https://github.com/react-native-share/react-native-share/pull/1046/files

[bjacog]

So I manually patched the version I had been using, it was really old so you might need to adjust for your version. Once I have updated my apps to the latest version of this lib I can make a PR to resolve this if it is still a problem with latest.

The app that passed review is using react-native-push-notification@3.1.9. Here is my patch that passed review:

--- a/node_modules/react-native-push-notification/android/src/main/java/com/dieam/reactnativepushnotification/modules/RNPushNotificationHelper.java
+++ b/node_modules/react-native-push-notification/android/src/main/java/com/dieam/reactnativepushnotification/modules/RNPushNotificationHelper.java
@@ -23,6 +23,7 @@ import androidx.core.app.NotificationCompat;
 import android.util.Log;

 import com.facebook.react.bridge.ReadableMap;
+import com.facebook.react.bridge.ReactContext;

 import org.json.JSONArray;
 import org.json.JSONException;
@@ -73,6 +74,7 @@ public class RNPushNotificationHelper {
         int notificationID = Integer.parseInt(bundle.getString("id"));

         Intent notificationIntent = new Intent(context, RNPushNotificationPublisher.class);
+        notificationIntent.setPackage(context.getPackageName());
         notificationIntent.putExtra(RNPushNotificationPublisher.NOTIFICATION_ID, notificationID);
         notificationIntent.putExtras(bundle);

@@ -276,6 +278,7 @@ public class RNPushNotificationHelper {
             notification.setStyle(new NotificationCompat.BigTextStyle().bigText(bigText));

             Intent intent = new Intent(context, intentClass);
+            intent.setPackage(context.getPackageName());
             intent.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);
             bundle.putBoolean("userInteraction", true);
             intent.putExtra("notification", bundle);
@@ -359,6 +362,7 @@ public class RNPushNotificationHelper {
                     }

                     Intent actionIntent = new Intent(context, intentClass);
+                    actionIntent.setPackage(context.getPackageName());
                     actionIntent.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);
                     actionIntent.setAction(context.getPackageName() + "." + action);

[git-user-1337]

Hey @bjacog, thanks for your suggestion, with the adjustments it seems to work just fine. But I identified the following issue: If users update from a previous version of the app with some local notifications scheduled, we can't seem to cancel / edit those old notifications in the new app. E.g. in my case I am calling cancelAllLocalNotifications sometimes to clear all local notifications, but that won't clear any notifications scheduled before the update. I guess it's related to the scheduledNotificationsPersistence instance which might not contain the old notifications anymore, but I don't really understand why. Do you have any clue what is happening there? Thanks again for the help :)

[bjacog]

@git-user-1337 I'm no export on Android or push notifications but the only change is setting package context so I imagine the cancelAllLocalNotifications perhaps use package context to filter the notifications. So before update: notifications do not have the package context, then after updating the call to cancelAllLocalNotifications now looks for notifications with context?

It is a shot in the dark, sorry I don't have time atm to investigate it a bit more.

[aotaduy]

Im having this issue even with 8.1.1. Can we create a pull request based on @bjacog changes?

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 30 days if no further activity occurs. Thank you for your contributions.