androidbroadcastreceivergoogle-play-servicesandroid-securitysms-retriever-api

Intent Redirection Vulnerability Notification From Google Play


I built a one-tap consent OTP-verification for my android app as per: https://developers.google.com/identity/sms-retriever/user-consent/request

The only difference in my code is that I changed

override fun onCreate(savedInstanceState: Bundle?) {
    // ...

    val intentFilter = IntentFilter(SmsRetriever.SMS_RETRIEVED_ACTION)
    registerReceiver(smsVerificationReceiver, SmsRetriever.SEND_PERMISSION, intentFilter)
}

in the article, to:

  // ...
     val intenetFilter = IntentFilter(SmsRetriever.SMS_RETRIEVED_ACTION)
     registerReceiver(smsBroadcastReceiver, intenetFilter)

I removed the SmsRetriever.SEND_PERMISSION because I get a type mismatch error as shown in the image: error showing type mismatch This may be because Google states here that This permission setting is available in Google Play services version 19.8.31 or higher. However, I am using

implementation 'com.google.android.gms:play-services-auth:19.2.0'

implementation 'com.google.android.gms:play-services-auth-api-phone:17.5.1'

in my build gradle. I don't think there is a 19.8.31 version of play-services-auth available for download yet.

So then I tried another way by adding the following permission for my broadcast receiver in my android manifest:

        <receiver
            android:name=".ui.otpVerification.SmsBroadcastReceiver"
            android:exported="true"
            android:permission="com.google.android.gms.auth.api.phone.permission.SEND">
            <intent-filter>
                <action android:name="com.google.android.gms.auth.api.phone.SMS_RETRIEVED" />
            </intent-filter>
        </receiver>

And I thought this would solve the intent vulnerability issue because I am setting SEND_PERMISSIONpermission for my receiver as mentioned in https://support.google.com/faqs/answer/9267555

However, when I created a new release and submitted it for review, I still got the same notification returning an Intent Redirection Vulnerability. Is there anything that I am doing incorrectly? Anything else I need to consider?


Solution

  • I added the following instead and it worked.

      // ...
         val intenetFilter = IntentFilter(SmsRetriever.SMS_RETRIEVED_ACTION)
          registerReceiver(smsBroadcastReceiver, intenetFilter, SmsRetriever.SEND_PERMISSION, null)
    

    Didn't need to do anything on Android Manifest. Only changed the line above.