This information is intended for developers with app(s) that use Implicit Intents to reach one of their internal components.
What’s happening
One or more of your apps contain an Implicit Internal Intent issue. Implicit Intents used to reach an internal component allow attackers to intercept the message and either drop it, read its contents, or even replace its contents. Location(s) of the Implicit Intent usage(s) in your app can be found in the Play Console notification for your app. If a location ends with “(in dynamically loaded code)” then the location is in code dynamically loaded by the app or by libraries used by the app. Applications typically use dynamically loaded code through on-demand feature delivery, though other unrecommended techniques exist (some unrecommended techniques also violate the Google Play policy and should not be used). Additionally, packers can transform application code into dynamically loaded code.
How to fix “Implicit Internal Intent” alerts
Review your app for the location where an Implicit Intent is used. For example the following code uses Implicit Intents to reach an internal component:
//The app has a component that registers MY_CUSTOM_ACTION, which is only
//registered by this app, indicating that the dev intends for this Intent
//to be delivered to the internal component safely.
Intent intent = new Intent("MY_CUSTOM_ACTION");
//Add potentially sensitive content to 'intent'
intent.putExtra("message", sensitive_content);
startActivity(intent);
Google recommends that developers use Explicit Intents to reach their internal components either by:
- Use Intent.setComponent to explicitly set the component to handle the Intent.
- Use Intent.setClass or Intent.setClassName to explicitly set the target component.
- Use Intent.setPackage to limit the components this Intent will resolve to.
Next Steps
- Update your app using the steps highlighted above.
- Sign in to your Play Console and submit an updated version of your app.
During this time your new app or app update will be in a in review status until your request is reviewed. If the app has not been updated correctly, you will still see the warning.
We’re here to help
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our support team.