Android Intent Redirection vulnerability

Hello,
We've been working on a game that we now alpha test in Google Play. Meaning we are submitting our builds there to distribute to our testers.
In latest update, we added IAPs. After some headaches all seem to have started to work. But now, when we submit a build to the google play console, we get a following warning:


Your app contains an Intent Redirection vulnerability. Please see this Google Help Center article for details.
Vulnerable classes:

• com.xiaomi.account.openauth.AuthorizeActivityBase.onCreate

Please fix the issue before: 08/13/2019


We would really like to get rid of this warning obviously, as soon as possible so we don't have to think of another thing to sort out later. We are currently planning on releasing on iOS App Store and Google Play, later on Steam and/or on Epic store. No xiaomi specific stores.

 

I'm experiencing the same issue, i removed XiaomiSupport folder

 

How do I remove that folder? Where it is located, I have exactly the same problem in all my games.

 

We have not heard of this issue previously. Please test with Unity IAP 1.22 if not already, available as an update through the Services window, or the Asset Store. Did you target Google Play in your settings? In the Unity Editor, select menu Window/IAP/Target Android

 

I am having the same issue. I do not seem able to update Unity IAP. I've downloaded and imported 1.22, however it appears to still be the older Unity IAP plugin.

Please take a look at the changelog attached. This is what I see in my plugin folder after downloading the latest Unity IAP. I don't know how else to determine what version I've got.

 

That is a VERY old version of IAP. Please test on a new/empty project with a recent version of Unity. To import IAP, first enable Analytics in the Services window (Window/General/Services or Window/Services). Then enable IAP in the Services window and go through the prompts, it will install the necessary asset. It will also prompt you to update your API, you must say yes. The steps are outlined here: https://forum.unity.com/threads/iap-troubleshooting-remove-and-reinstall-unity-iap.511747/

 

All your games? Did you not notice the issue in your first game? Please elaborate.

 

Hi JeffD,

I'm unable to start fresh with a new project, as my game has been in the app stores for nearly three years and is doing well. I can't start over. I have analytics enabled, 2018.3.6f1, and the services window insists that my Unity IAP is up to date.

Please see the attached pictures. How can I fix this?

 

As a TEST, try with a new project to become familiar with the process and eliminate other variables. Also, you should be able to see the IAP version from the Window menu, IAP. And confirm that you went through the steps in the reinstall link.

 

I will try the steps in your link now, deleting both the /Plugins/UnityPurchasing/ and /Plugins/UnityChannel/ folders first. I've made a backup of the project.

I don't see IAP in the Window menu, using 2018.3.

 

That means the import didn't work. You need to ensure that you select "Yes I made a backup" when prompted to update the API. Also, there can't be any compile issues, prior and during your import. When you first delete the folders, you need to ensure that your app still compiles and runs before importing again, you may need to remove any IAP references.

 

I've deleted the folders. The app does not compile, but I suspect this is because I need to reimport IAP. See errors attached.

 

No, you MUST fix the compiler errors before importing. You need to either remove Purchaser.cs or comment out the offending lines.

 

You've been helpful, thank you. I've followed your instructions and the changelog now shows 1.22. I also see IAP in the Window menu. See picture.

 

I also got this alert from Google Play.

Unity IAP 1.22.0, Unity 2018.4.0f1.
Google Play is selected in Window » Unity IAP » Android.

It's the same alert Lad-Ty posted. I'll try to remove the XiaomiSupport folder as a workaround.

 

i am also getting the same alert message from google . Will updating to IAP 1.22 will resolve the issue ? please reply as soon as possible.

 

Removing the XiaomiSupport folder doesn't help, the offending code is in UnityChannel.aar.

I've patched the aar by unzipping it, removing all activities from the two AndroidManifest.xml and then re-zipping it. Uploaded to Google Play and now waiting to see if I get another alert, the Xiaomi activities are no longer in the manifest.

@SoulBreaker As I said, I'm on IAP 1.22.0 and also got the alert. Unity will have to release an update.

 

Haven't received an alert so far (more than two hours since upload, received the last alert in less than 30 minutes).

 

It is a freshly installed Unity IAP, in the changelog txt I see it's the 1.22 you specified. But I did not have "Target Google Play" selected in the menu you hinted on (Window/Unity IAP/Android/Target Google Play). I will try the next build with that ticked (and hopefully get back here with a response later if sorted the issue), thank you, was not aware of that submenu.

 

@Adrian so i just need to remove only mentioned activity or all xiaomi activities.
But for me alert message is this one

• com.xiaomi.account.openauth.b.onCreate

But i didn't found exact activity in androidmanifest.xml. Does my alert also refer to "com.xiaomi.account.openauth.AuthorizeActivity" this activity.

 

You can find the line android:exported="true", and replace with False

 

@lizyn But i am unable to find below mentioned activity in both android manifest files.

• com.xiaomi.account.openauth.b.onCreate

 

To the people watching this thread, the issue (the one I talked about) is quite easily fixable by what JeffDUnity3D said. In Unity menu go through "Window/Unity IAP/Android/" and tick "Target Google Play", it will likely properly strip off the "incriminated" xiaomi classes. After submitting a build that had this done I have no mroe Security & privacy issues in the google play Pre-launch report. Thank you Jeff

 

@Lad-Ty I had Google Play checked from the beginning and still got the alert.

@lizyn There should be «com.xiaomi.account.openauth.AuthorizeActivity» in the manifest. I assume that extends the mentioned «com.xiaomi.account.openauth.AuthorizeActivityBase» and the «onCreate» is just a method that's part of an activity.

 

@Adrian thanks i will try that.
@Lad-Ty Yes @Adrian is right i also checked google play as target.

 

Fixing the xiaomi security alert (com.xiaomi.account.openauth.AuthorizeActivityBase.onCreate)
Open UnityChannel.aar file with 7zip In the AndroidManifest.xml , set android:exported="false" in the android:name="com.xiaomi.account.openauth.AuthorizeActivity" section.

Code (CSharp):

1.   <activity
2.             android:name="com.xiaomi.account.openauth.AuthorizeActivity"
3.             android:configChanges="orientation|screenSize"
4.             android:exported="false"
5.             android:theme="@android:style/Theme.Translucent.NoTitleBar" />

 

I made the same issue when I mistakenly clicked the "Add" button of Xiaomi Mi Game Center( in Build Settings of Unity Editor).

I fixed this issue easily by clicking "Remove" button of Xiaomi Mi Game Center.

Then,

I made a new APK file and uploaded it on Google Plays Console for test so that Google may check this new APK.


I hope this would be helpful.

 

We have determined that the issue in this (and other similar threads) is due to including the Xiaomi Gamecenter SDK in your build, or ANY previous Alpha/Beta release. This option is on the Build dialog, and should not be checked. Also remove any previous builds from Alpha/Beta/Internal tests.

 

EDIT:
This issue was resolved by Removing the IAP plugin completely and re-installing it.
The other mandatory settings are (if not set yet)
1. Removing the Xiaomi Gamecenter SDK (if exists)
2. WIndow->UnityIAP->Android->Target Google play

 

We do not believe this to be accurate. We have only seen this when the Xiaomi Gamecenter SDK is installed. We have not reproduced any other way. If you can reproduce on a new project, we would be most interested.

 

Yes you are correct. We cannot find the issue in an empty build. Removing the unity IAP plugin completely and re-installing it solved the problem.

 

Hello. I have this issue but I don't even have the option to remove Xiaomi Mi Game Center from build settings; I don't have IAP window in Wndows tab; and I don't have the UnityChannel.aar in plugins.
How can I solve this?
Thank you very much.

 

Please provide the contents of your Android manifest, and steps to reproduce on a new project.

 

Hello,

I have similar issue and don't use Xiaomi plugin/package.
But I see Xiaomi package.. need remove and will be ok?

or where can set android:exported="false". I can't see it in manifest.

We reviewed your app, with package name com.name...., and found that your app uses software that contains security vulnerabilities for users. Apps with these vulnerabilities can expose user information or damage a user’s device, and may be considered to be in violation of our Malicious Behavior policy.



Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please migrate your apps to use the updated software as soon as possible and increment the version number of the upgraded APK.



Vulnerability APK Version(s) Deadline to fix

Intent Redirection

Your app(s) are vulnerable to Intent Redirection.

Thanks.

 

Please provide the contents of your manifest

 

Thanks for help!

I removed Xiaomi SDK from Window->Package manager.
It's OK now.

 

Hey bro did removing Xiaomi SDK really help solving your problem because i have rhe exact same issues and I'm desperate i can't find a solution, please respond dude.

 

So I removed Xiaomi SDK folder and i uploaded the final version it worked, now the problem is admob ads are not showing anymore in the new Build version, but they're showing in the previous version i really can't find out where's the problem, please help !!

 

Sorry, we would not be able to assist with admob questions in this forum