6

Ever since we have integrated Zoom SDK, Google has started sending vulnerability warning mails; if not fixed they will take the app down. As per the Zoom blog article on Zoom Rolling Out End-to-End Encryption Offering, they have worked on security related issues and it seems they have fixed them. So we updated Zoom SDK in our app with latest version which has all these security fixes. The version We are using in our app is "zoom-sdk-android-5.4.3.613". After submitting app, we again received warning mail from Google. Now this is really frustrating. Can somebody help?

Update:

So I raised a ticket at Zoom Support and they closed it as "Solved" immediately. Link to the ticket: https://support.zoom.us/hc/en-us/requests/9837191

TheLittleNaruto
  • 8,325
  • 4
  • 54
  • 73
  • Does it not specify where or what the vulnerability is? I'd think they'd be more prominent about it if Zoom's SDK had it and was preventing "all apps" that use it from being submitted, but then again, I have no idea how many apps use the ZoomSDK, and of those, which ones were "updated" recently to go through the security audit process. – Martin Marconcini Feb 16 '21 at 12:33
  • @MartinMarconcini There is a support link attached to the mail which says ["Remediation for Intent Redirection Vulnerability"](https://support.google.com/faqs/answer/9267555?hl=en). My guess is it's when we launch Zoon's Activity to join conference. – TheLittleNaruto Feb 16 '21 at 12:43
  • 2
    FYI: That support link is not public and requires a login. Likely limited for your personal account. – rekire Feb 17 '21 at 05:55
  • @rekire Oh Didn't know that. Should I attach a screenshot? – TheLittleNaruto Feb 17 '21 at 05:56
  • If you think a screenshot may contain useful information, go ahead, but if it's just generic AI generated text/responses, then it's probably not worth. – Martin Marconcini Feb 17 '21 at 10:13
  • @MartinMarconcini In that case it's not worth to attach. – TheLittleNaruto Feb 17 '21 at 13:20

1 Answers1

2

So we finally were able to narrow down the root cause. The issue we were getting from Google Play was "Intent Redirection Violation". I'll list down what all things we did to fix the issue:

  1. Definitely updating Zoom SDK was needed which we had done already.

  2. As per Google suggestion, we checked if any intent redirection was untrusted. To do so, we can put this piece of code inside onCreate() of an Activity:

    // check if the originating Activity is from trusted package
if (getCallingActivity().getPackageName().equals("known")) {
  Intent intent = getIntent();
  // extract the nested Intent
  Intent forward = (Intent) intent.getParcelableExtra("key");
  // redirect the nested Intent
  startActivity(forward);
}

  3. We were using SMS Verification APIs and protecting a broadcast receiver with the SEND_PERMISSION will ensure that an Intent comes from Play Services. In our case this SEND_PERMISSION was not set.

ʍѳђઽ૯ท
  • 16,646
  • 7
  • 53
  • 108
TheLittleNaruto
  • 8,325
  • 4
  • 54
  • 73