[Bug]: VAPT issue found in react-native-onesignal for android.

[somasekharkakarla]

What happened?

Our application recently went through VAPT. The team got back with a 2-low vulnerability

1. The following activities are marked as exported in the manifest file, but those are not protected by any permissions. This can expose the mentioned activity to malicious apps running on the device.
   Activity (com.onesignal.NotificationOpenedActivityHMS)
   Activity
   (com.onesignal.NotificationOpenedReceiver) is not Protected. [android:exported=true]

2. The following receiver are exported, but not protected by any permissions. Failing to protect receiver could leave them vulnerable to attack by malicious apps. The receiver should be reviewed for vulnerabilities, such as injection and information leakage.
   Broadcast Receiver (com.onesignal.UpgradeReceiver)
   (com.onesignal.BootUp Receiver), (com.onesignal. NotificationDismissReceiver),
   (com.onesignal. FCMBroadcastReceiver) is not Protected.
   [android:exported=true]

@BritOneSignal @dean-onesignal @mtsay-onesignal Please hot-fix it and release it.

Steps to reproduce?

VAPT process

What did you expect to happen?

No VAPT Issues

React Native OneSignal SDK version

4.3.1

Which platform(s) are affected?

• iOS
• Android

Relevant log output

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[jennantilla]

@somasekharkakarla apologies that this issue was missed. Since it's been quite some time since this was opened, I will be closing it due to inactivity. If you still have concerns surrounding penetration tests, please @ mention me and we can pick back up the conversation!

We have released a new User Model major release that offers many improvements and enhancements. I'd highly recommend upgrading to our latest SDK version and checking it out! Please see our migration guide for full details!

Thanks!