You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our application recently went through VAPT. The team got back with a 2-low vulnerability
The following activities are marked as exported in the manifest file, but those are not protected by any permissions. This can expose the mentioned activity to malicious apps running on the device.
Activity (com.onesignal.NotificationOpenedActivityHMS)
Activity
(com.onesignal.NotificationOpenedReceiver) is not Protected. [android:exported=true]
The following receiver are exported, but not protected by any permissions. Failing to protect receiver could leave them vulnerable to attack by malicious apps. The receiver should be reviewed for vulnerabilities, such as injection and information leakage.
Broadcast Receiver (com.onesignal.UpgradeReceiver)
(com.onesignal.BootUp Receiver), (com.onesignal. NotificationDismissReceiver),
(com.onesignal. FCMBroadcastReceiver) is not Protected.
[android:exported=true]
@somasekharkakarla apologies that this issue was missed. Since it's been quite some time since this was opened, I will be closing it due to inactivity. If you still have concerns surrounding penetration tests, please @ mention me and we can pick back up the conversation!
We have released a new User Model major release that offers many improvements and enhancements. I'd highly recommend upgrading to our latest SDK version and checking it out! Please see our migration guide for full details!
What happened?
Our application recently went through VAPT. The team got back with a 2-low vulnerability
The following activities are marked as exported in the manifest file, but those are not protected by any permissions. This can expose the mentioned activity to malicious apps running on the device.
Activity (com.onesignal.NotificationOpenedActivityHMS)
Activity
(com.onesignal.NotificationOpenedReceiver) is not Protected. [android:exported=true]
The following receiver are exported, but not protected by any permissions. Failing to protect receiver could leave them vulnerable to attack by malicious apps. The receiver should be reviewed for vulnerabilities, such as injection and information leakage.
Broadcast Receiver (com.onesignal.UpgradeReceiver)
(com.onesignal.BootUp Receiver), (com.onesignal. NotificationDismissReceiver),
(com.onesignal. FCMBroadcastReceiver) is not Protected.
[android:exported=true]
@BritOneSignal @dean-onesignal @mtsay-onesignal Please hot-fix it and release it.
Steps to reproduce?
What did you expect to happen?
No VAPT Issues
React Native OneSignal SDK version
4.3.1
Which platform(s) are affected?
Relevant log output
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: