Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Your app(s) are vulnerable to Intent Redirection

Discussion in 'Unity IAP' started by Ukounu, Jul 4, 2021.

Thread Status:
Not open for further replies.
  1. Ukounu

    Ukounu

    Joined:
    Nov 2, 2019
    Posts:
    209
    Today I got an email from Google Play with a warning that my apk contains contains security vulnerabilities

    Untitled-1.png

    The issue seems to be similar to this closed thread:

    https://forum.unity.com/threads/android-intent-redirection-vulnerability.681985/

    But it suggests to remove Xiaomi game center and/or Xiaomi SDK. I never used either and double checked now that I don't have them (SDK is not installed in the package manager window, and game center not added in Android build setting window).

    The issue happened after I updated from Unity IAP version 1.18.0 (never had this issue) to version 2.3.0 (the latest for Unity 2018.4). My first attempt to submit an APK with IAP version 2.3.0 resulted in this warning.

    In Google Play console, my old APK had 3 permissions:
    Code (csharp):
    1. android.permission.INTERNET, android.permission.READ_EXTERNAL_STORAGE, com.android.vending.BILLING
    New APK requests 10:
    Code (csharp):
    1.  
    2. 7 DIFFERENTIATING
    3. android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.GET_ACCOUNTS, android.permission.GET_TASKS, android.permission.READ_PHONE_STATE, com.xiaomi.permission.AUTH_SERVICE, com.xiaomi.sdk.permission.PAYMENT
    4. 3 COMMON
    5. android.permission.INTERNET, android.permission.READ_EXTERNAL_STORAGE, com.android.vending.BILLING
    I assume those additional permissions appeared due to upgrading IAP from 1.18.0 to 2.3.0, and that's what caused that security warning? How do I get rid of those additional 7 permissions?
     
    Last edited: Jul 4, 2021
  2. JeffDUnity3D

    JeffDUnity3D

    Joined:
    May 2, 2017
    Posts:
    14,446
    This does not look related to IAP, we don't set those permission requirements. Please test with IAP 3.2.2, you'll need to upgrade Unity also.
     
  3. Tx

    Tx

    Joined:
    Jul 4, 2012
    Posts:
    108
    I got this warning email too from Google and in my last update I got READ_PHONE_STATE out of the blue.
    I needed a superfast build so I did not try to find the cause of this new permission and I just "solved" the issue by forcing it off in the manifest. I currently use IAP 2.0.0 in Unity 2018.4.32.

    The suggesed solution to fix this problem is to upgrate to Unity 2019.4 (I would like to use always a LTS)?
    Would this Unity upgrade and IAP 3.2.2 be compatible with the new Google requiments of using their in app purchase 3.0 version?
     
  4. Ukounu

    Ukounu

    Joined:
    Nov 2, 2019
    Posts:
    209
    It's 100% related to IAP, since after I copy pasted "UnityPurchasing" folder from a backup of the same project (IAP 1.18.0), compiled APK uploaded to Google Play didn't have that warning any longer (it had a different warning though about need to migrate to Google Play billing version 3 - which is why I was attempting to upgrade IAP, in the first place). Also, those additional 7 permissions disappeared after restoring IAP 1.18.0.

    Are you saying that Unity 2018.4 is not maintained any longer and there is no way to fix this issue apart from switching to Unity 2019? I would prefer to continue using 2018.4.
     
    Last edited: Jul 7, 2021
  5. PutridEx

    PutridEx

    Joined:
    Feb 3, 2021
    Posts:
    1,136
    I believe 2018 LTS support is over now.
     
  6. Ukounu

    Ukounu

    Joined:
    Nov 2, 2019
    Posts:
    209
    Can you please provide more detailed instructions for this? I never manually edited manifest files before.
     
  7. Tx

    Tx

    Joined:
    Jul 4, 2012
    Posts:
    108
    I build in Android Studio (4.0.1) after exporting the project. Then I open in this tool the main manifest (AndroidManifest.xml) that is visible in the folder "manifests".

    In this file, after the closing of the application tag (search for </application>) I pasted this code:

    <uses-permission
    android:name="android.permission.READ_PHONE_STATE"
    tools:node="remove" />


    I learnt this 'trick' reading this post
    https://stackoverflow.com/questions/39668549/why-has-the-read-phone-state-permission-been-added

    I removed the permission and I didn't have any report from users of broken IAP (until now at least!)
     
  8. abedd123gharra

    abedd123gharra

    Joined:
    Aug 13, 2021
    Posts:
    1
    I still have this mail from google and i don't use IAP at all , the only thing i use is Advertisements, i need help!
     
  9. JeffDUnity3D

    JeffDUnity3D

    Joined:
    May 2, 2017
    Posts:
    14,446
    You might want to post instead to the Ads forum https://forum.unity.com/forums/unity-ads.67/ . I will close this thread now.
     
Thread Status:
Not open for further replies.