While i was fininshing my fork to implement a basic Action Button functionality, i finded a high possible security issue for every app using the flutter_local_notification.
The payload returned between the native code and Flutter method callback is plain text. That means the app above should extract that plain text value to process it. Taking note that some of key informations, such notification id, are lost in MethodCall transition process, the actual scenario estimulate the app developer to put complex references over plain text payload do caputure it after the user taps on notification.
If that app allows another users with low priviledge to send notifications to someone, now they have access to send malicious strings through notifications that could reach internal process steps and allow code or parameters injection to manipulate the app.
Consider a App using a json encoded string over payload to recovery its references after the user tap a notification. A malicious user could inject another json encoded string (with manipulated parameters or extra fields) through the body message or even on a input text response, such as Android´s RemoteInput. After the tap event, the malicious code could be processed and interpreted, allowing the user to reach unauthorized pages or functionalities. such as expired promotion codes, privated messages, etc.
The solution is to return over MethodCall flutter listener an object and not a plain text. As the layers between android and ios cannot communicate with dart files passing memory object ( because they are made from different technologies ) we gonna pass the object encoded, containing the payload string escaped, and decode the object to memory on flutters ´s side, without need to check the payload, considering that every user input contains unsafe information.
Under the object used to transfer the information, we gonna put the others notification information, such notification_id, etc.
The difference bettween the plugin doing that oposes the app is the pluggin extends to native code, where is completely possible to distinguish parameters from payload without need to process and interpret the payload content.
But the obvious consequence is the new returned payload is totaly different from the old one. The new method is naturaly incompatible with App who readed plain text from the olders versions.
So i propose to create a copy of onSelectNotification, on called onReceiveNotification, passing a object to the receiver event, and also to mark the old onSelectNotification as deprecated and unsecure. That way the new notification plugin will not becom totaly incompatible with those apps, the developers will be warned about the danger and will keep receiving another updates until they change their codes.
So, what you guys think about that? there is a better way to do those changes?