androidpush-notificationhuawei-mobile-serviceshuawei-push-notificationhuawei-account

HMS Push Service Security Vulnerability


Our security team found insecure functions that exist in Push Kit libraries and would like to know whether it would be fixed in upcoming versions or it will stay and we have to accept the risk or if there is any customization can be done to overcome the security concerns:

Improper Verification of Intent (CWE-925), App Permissions (MSTG-PLATFORM-1)

we are using the below sdk version:

implementation 'com.huawei.hms:hwid:5.0.1.300'

implementation 'com.huawei.hms:push:5.0.2.300'

and below are the details:

Service: com.huawei.hms.support.api.push.service.HmsMsgService

the service in the SDK manifest file exists as below:

<service android:name="com.huawei.hms.support.api.push.service.HmsMsgService" android:enabled="true" android:exported="true" android:process=":pushservice" android:directBootAware="true">

<intent-filter>

<action android:name="com.huawei.push.msg.NOTIFY_MSG" />

<action android:name="com.huawei.push.msg.PASSBY_MSG" />

</intent-filter>

</service>

which means that this service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.

so, we need your support to add protectionLevel: signatureOrSystem or protect it by protected permission android:permission="PermissionName".

Any feedback is highly appreciated.


Solution

  • Confirmed by relevant teams, the HmsMsgService is open to the HMS. After the HMS is started, the package name verification and other verification will be performed. In addition, the service is not a message receiving module of Huawei mobile phones and needs to be open to the HMS, and the HMS cannot set permissions for applications in advance. Besides, the service has two layers of verification, namely, source package name verification and HMS signature verification, which has no security risk.

    Therefore, the HmsMsgService will not be used by other applications and will not cause security issues. There is no need to add protectionLevel: signatureOrSystem or android:permission="permissionName" to this service, which has no security risks. Please feel free to use.