Implicit Internal Intent error on CHT-android release

Gilbert · March 17, 2022, 10:02am

The other day I tried to publish an aab built from v0.12.1 of cht-android
I got as review an error in the pre-release report from the google play developer console tab saying:

Security and trust
Implicit Internal Intent

Is there a way to get rid of this problem or do we have to update the code and build it again to be able to publish?
Have a good day

Jennifer_Quesada · March 17, 2022, 10:47am

Hi @Gilbert

Thanks for your question. Does the Google Play Developer Console give more information? Any additional data will help us find the problem.

Thanks,
Jennifer

Gilbert · March 17, 2022, 10:49am

Not really, just a link to the help section related to the issue, here is what I can read there:

Remediation of Implicit Internal Intent Vulnerability

This information is intended for developers with app(s) that use Implicit Intents to reach one of their internal components.

What’s happening

One or more of your apps contain an Implicit Internal Intent issue. Implicit Intents used to reach an internal component allow attackers to intercept the message and either drop it, read its contents, or even replace its contents. Location(s) of the Implicit Intent usage(s) in your app can be found in the Play Console notification for your app.

How to fix “Implicit Internal Intent” alerts

Review your app for the location where an Implicit Intent is used. For example the following code uses Implicit Intents to reach an internal component:

//The app has a component that registers MY_CUSTOM_ACTION, which is only

//registered by this app, indicating that the dev intends for this Intent

//to be delivered to the internal component safely.

Intent intent = new Intent("MY_CUSTOM_ACTION");

//Add potentially sensitive content to 'intent'

intent.putExtra("message", sensitive_content);

startActivity(intent);

Jennifer_Quesada · March 18, 2022, 3:19am

Thanks Gilbert. Can you please have a look at the Play Console notification for your app and check if it contains more information about the warning?

derick · March 18, 2022, 11:09am

@Gilbert I’m doing a v0.11.1 patch release with your changes. It should be available in the next half hour or so. Please let us know if you encounter problems publishing that.

In the meantime, any more information that you are able to share on the error you encountered will help guide our investigation.

Gilbert · March 18, 2022, 12:24pm

Thank you very much @Jennifer_Quesada and @derick,
unfortunately, I don’t have any additional information

Gilbert · March 18, 2022, 1:56pm

Hi @derick ,
I can see the v0.11.1 tag you created. But I can’t see its bundles, the last bundle I see are related to the v0.12.1 which is the one having an issue now.
Thank you

derick · March 18, 2022, 1:59pm

@Gilbert I’ve fixed that. Check again.

Gilbert · March 18, 2022, 2:36pm

I can see the releases now.
Let me publish it and revert.
Thank you

Gilbert · March 18, 2022, 4:13pm

I created a new release with the bundle I downloaded. now I’m having another error related the to new aab v0.11.1

I also tried to install the APK on android 8.1.0 and it fails. But it works on version 11

Jennifer_Quesada · March 21, 2022, 5:39am

Hi Gilbert,

Thanks for following up, regarding this issue:

#1

Error: You can’t rollout this release because it doesn’t allow any existing users to upgrade to the newly added app bundles.

The error could be because this release has lower versionCode and/or versionName than a previously existing release in Google Play Console.
If this is the first time making CHT-RCI app available in the market, are you able to delete the previous release that won’t be used? Or start from fresh? So that CHT-RCI v0.11.1 is the only one available.

About this other one:

#2

I also tried to install the APK on android 8.1.0 and it fails

Can you please let us know the following?

Phone brand and specs.
Steps you have followed to install the app in this phone

This release and previous ones from our Android app support Android Kitkat (4.4) which uses CrossWalk (XWalk). Because of this, phones with Android version 4.4 to 9 should use any of these 2 XWalk APK, corresponding to the phone architecture (armeabi-v7a or arm64-v8a):

cht-android-v0.11.1-cht_rci-xwalk-armeabi-v7a-release.apk
cht-android-v0.11.1-cht_rci-xwalk-arm64-v8a-release.apk

You can try first with cht-android-v0.11.1-cht_rci-xwalk-armeabi-v7a-release.apk, must phones are okay with armeabi-v7a. I tested both XWalks APKs on the only device I have, Nokia 8 with Android 9, working fine.

Phones with Android version 10 and 11 should use the Webview APK:

cht-android-v0.11.1-cht_rci-webview-arm64-v8a-release.apk

Make sure all the bundles (Xwalk and Webview) are uploaded into Google Play Console:

Screen Shot 2022-03-21 at 11.36.39 am

Google Play will install the right one according to the user’s device.

Kind regards,

Gilbert · March 21, 2022, 10:45am

Thank you @Jennifer_Quesada for your reply

#1
You are right about, the first version that failed was v0.12 and the new one is v0.11.
I had the option to remove v0.11 but I couldn’t remove v0.12 so I created a new release using cht-android-v0.11.1-cht_rci-webview-release.aab and cht -android-v0.11.1-cht_rci-xwalk-release.aab, now I’m waiting for review

2#
I was using Ulefone power5 v02 with Android 8.1.2 Kernel 4.4.95+
I copied the cht-android-v0.11.1-cht_rci-webview-arm64-v8a-release.apk to the phone via WhatsApp. After that, I tried the install which failed
Now I am using cht-android-v0.11.1-cht_rci-xwalk-arm64-v8a-release.apk and it worked fine.
It is very helpful to know the information you shared above.
Thanks very much