This information is intended for developers with app(s) that contain the Intent Scheme Hijacking Vulnerability.
What’s happening
One or more of your apps contain an Intent-Scheme Hijacking issue which can allow malicious networks and websites to access private app components. Vulnerable locations in your app can be found in the Play Console notification for your app. If a location ends with “(in dynamically loaded code)” then the location is in code dynamically loaded by the app or by libraries used by the app. Applications typically use dynamically loaded code through on-demand feature delivery, though other unrecommended techniques exist (some unrecommended techniques also violate the Google Play policy and should not be used). Additionally, packers can transform application code into dynamically loaded code.
After the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.
Action required
-
Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
-
Update your affected apps using the steps highlighted below.
-
Submit the updated versions of your affected apps.
Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.
Additional details
WebViews that visit untrusted web content, parse intent:// links using Intent.parseUri, and send those Intents using startActivity are vulnerable to Intent-Scheme Hijacking. These WebViews can be tricked by malicious web content into sending arbitrary Intents to private app components. This can lead to app compromises such as the theft of private app data that such components manipulate. Note that untrusted web content includes content from trusted domains that is loaded over HTTP.
We recommend that you prevent this vulnerability in one of the following ways:
Option 1: Ensure that WebViews cannot send arbitrary Intents
Apps can constrain Intents constructed with Intent.parseUri to only be sent as Implicit Intents to components with BROWSABLE Intent Filters using the following code:
// convert Intent scheme URL to Intent object
Intent intent = Intent.parseUri(url);
// forbid launching activities without BROWSABLE category
intent.addCategory("android.intent.category.BROWSABLE");
// forbid explicit call
intent.setComponent(null);
// forbid Intent with selector Intent
intent.setSelector(null);
// start the activity by the Intent
view.getContext().startActivity(intent, -1);
Option 2: Ensure that affected WebViews do not load untrusted web content
If a WebView needs to parse arbitrary intent://
scheme URLs, please ensure that it does not load untrusted web content. Untrusted web content includes web content loaded over an unencrypted connection. Developers can set android:usesCleartextTraffic
to false in their Manifest or set a Network Security Config that disallows HTTP traffic. Alternatively, they can ensure that any affected WebViews do not load any URLs with HTTP schemes with loadUrl
.
We recommend that developers ensure that affected WebViews do not load unrestricted URLs obtained from untrusted sources (e.g., URLs obtained from untrusted Intents).
We’re here to help
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.