Remediation for Implicit PendingIntent Vulnerability

This information is intended for developers with app(s) that contain the Implicit PendingIntent Vulnerability.

What’s happening

One or more of your apps contain an Implicit PendingIntent issue which may cause security threats in the form of denial-of-service, private data theft, and privilege escalation. Please review the detailed steps below to fix the issue with your apps.  Location(s) of the Implicit PendingIntent usage(s) in your app can be found in the Play Console notification for your app. If a location ends with “(in dynamically loaded code)” then the location is in code dynamically loaded by the app or by libraries used by the app. Applications typically use dynamically loaded code through on-demand feature delivery, though other unrecommended techniques exist (some unrecommended techniques also violate the Google Play policy and should not be used). Additionally, packers can transform application code into dynamically loaded code.

Fixing this issue is recommended but not mandatory. The publication status of your app will be unaffected by the presence of this issue.

Additional details

Android apps send messages between components using Intents. Intents can either specify the target component (Explicit Intent) or list a general action and let the operating system deliver the Intent to any component on the device that registers an Intent Filter matching that action (Implicit Intent).

PendingIntents are Intents delegated to another app to be delivered at some future time. Creating an implicit intent wrapped under a PendingIntent is a security vulnerability that might lead to denial-of-service, private data theft, and privilege escalation. 

Next Steps

1. Update your app and fix “Implicit PendingIntent” alerts using the steps highlighted below.

Review your app for the location where a PendingIntent is created. For example, the following code creates a PendingIntent wrapping an implicit intent: 

// Create an implicit base Intent and wrap it in a PendingIntent

Intent base = new Intent("ACTION_FOO");

base.setPackage("some_package");

PendingIntent pi = PendingIntent.getService(this, 0, base, 0);

Google recommends that developers fix the vulnerability by applying any (or even better, all) of the following:

• Ensuring that the action, package, and component fields of the base Intent are set; 
• Ensuring that the PendingIntent is only delivered to trusted components; 
• Using FLAG_IMMUTABLE (added in SDK 23) to create PendingIntents. This prevents apps that receive the PendingIntent from filling in unpopulated properties. In case the app also runs on devices running SDK 22 or older, we recommend developers to apply the previous options while strengthening the PendingIntent creation with the pattern:

if (android.os.Build.VERSION.SDK_INT >= 23) {

  // Create a PendingIntent using FLAG_IMMUTABLE

} else {

  // Existing code that creates a PendingIntent

}

2. Submit your updated APK

To submit an updated app bundle or APK:

1. Go to your Play Console.
2. Select the app.
3. Go to the App bundle explorer.
4. Select the non-compliant APK/app bundle's App version at the top right dropdown menu, and make a note of which releases they are under.
5. Go to the track with the policy issue. It will be one of these 4 pages: Internal / Closed / Open testing or Production.
6. Near the top right of the page, click Create new release. (You may need to click Manage track first)
   • If the release with the violating APK is in a draft state, discard the release.
7. Add the policy compliant version of app bundles or APKs.
   • Make sure the non-compliant version of app bundles or APKs is under the Not included section of this release. For further guidance, please see the "Not included (app bundles and APKs)" section in this Play Console Help article.
8. To save any changes you make to your release, select Save.
9. When you've finished preparing your release, select Review release.

If the non-compliant APK is released to multiple tracks, repeat steps 5-9 in each track.

During this time your new app or app update will be in a in review status until your request is reviewed. If the app has not been updated correctly, you will still see the warning.

We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our support team.