Qark reports a PendingIntent security issue on java files: zzaup, zzst, zze, MediaButtonReceiver, TaskStackBuilder
I'm working on an already existing app and I had to test the code security vulnerabilities using QARK (Quick Android Review Kit).
When I run this tool it reports this problems related to Pending Intents:
In these Java classes:
- myApp/classes_dex2jar/com/google/android/gms/internal/zzaup.java
- myApp/classes_dex2jar/com/google/android/gms/internal/zzst.java
- myApp/classes_dex2jar/com/google/android/gms/common/zze.java
- myApp/classes_dex2jar/android/support/v4/media/session/MediaButtonReceiver.java
- myApp/classes_dex2jar/android/support/v4/app/TaskStackBuilder.java
With the same warning:
Implicit Intent: localIntent used to create instance of PendingIntent. A malicious application could potentially intercept, redirect and/or modify (in a limited manner) this Intent. Pending Intents retain the UID of your application and all related permissions, allowing another application to act as yours.
File: myApp/classes_dex2jar/[folder structure for each java class listed above].java
More details: https://www.securecoding.cert.org/confluence/display/android/DRD21-J.+Always+pass+explicit+intents+to+a+PendingIntent
I really have no idea what to do.
In my code there isn't any of these classes, neither PendingIntent.
(Only 1 implicit intent to open a simple link in browser, nothing else!)
Any suggestion???
I answer myself so that I can help those who need it in the future.
Simply, the report that was given to me was generated with an old version of QARK (beginning of July 2018, version 1.2, the current one is 4.0.)
Searching on the internet I found this issue (now closed) in which it is said that:
"The blog posts are old and use the release version of QARK. In the newer version (with more checks, faster execution, and less false positives) we have a simple report for now. [...]".
Good luck to all and good development! 🤞
- Keep numbers which appear in both columns, in J lang
- Differentiation in J
- How to reshape an array with an arbitrary size in one dimension?
- Why is Insert (fold) right associative
- Write 4 : 'x&{.&.;: y' tacitly
- Alignment issue when printing formatted prime numbers in J language
- How can I define a verb in J that applies a different verb alternately to each atom in a list?
- How to get user input in the J programming language
- How to unbox a list of boxed lists of differing lengths in J?
- How can I fix 'noun result was required' error in J?
- In j, how can I define a verb locally in one scope and pass it to a defined adverb?
- Convert boxed array to normal array?
- Read column of CSV file as array
- Replace atom in array of strings
- What does the dyad `=` do to boxed strings?
- Index of minimum element using J
- How can I take the outer product of string vectors in J?
- Building an array of verbs in J
- Reading in multidigit command line parameter
- Amend with bond to new data shows unexpected behaviour
- How to turn a table or matrix into a (flat) list in J
- How to run dissect in J?
- How to define selection using index function in J
- How to exit the J console?
- Find 4-neighbors using J
- Writing custom verbs in J
- How do I negate a selector in J lang?
- How to use arbitrary selector in interchange in J lang?
- different result once square root is added inside tacit
- Sum of arrays with repeated indices