microsoft
Security issue: DevSettings Screen available in release react native android app.
Vulnerability category: Misconfiguration
DevSettings activity is available on release react native android application. DevSettings in release flavour of react native android application could make security vulnerability. DevSettings activity from React Native 0.64 should be in android/app/src/debug/AndroidManifest.xml. Link to latest Android Manifest in react-native-code-push https://github.com/microsoft/react-native-code-push/blob/master/android/app/src/main/AndroidManifest.xml#L7 More Information under these links: https://github.com/facebook/react-native/commit/d8e6c45782a5c9132bb7ec315fe0b9ba3999e830 https://react-native-community.github.io/upgrade-helper/?from=0.63.4&to=0.64.0 DevSettings should no be available in release application.
Steps to Reproduce
- Do reverse engineering on android application code
- Check Android Manifest file.
- There is a DevSettings activity
Step to reproduce
- Run application with objection
- Hook all available activities
- Invoke DevSettings activity
Step to reproduce
- Run DevSettings activity with adb
Expected Behavior
DevSettings should not be available on release react native android application.
Actual Behavior
DevSettings should is available on release react native android application.
Environment
- react-native-code-push version: 7.0.4
- react-native version: 0.68.0
- iOS/Android/Windows version: Android
- Does this reproduce on a debug build or release build? Release
- Does this reproduce on a simulator, or only on a physical device? Device
