Common Intent Vulnerabilities

Intent Redirect

If a exported activity having is taking user controlled intent to launch a activity, it leads to intent redirection vulnerability.

Impact: Attacker can interact with non-exported activities

Mitigation: Use Intent Sanitizer, check where an intent is being redirected using ResolveActivity before calling startActivity to redirect or use PendingIntents. [Android Developers Guide]

Returning Sensitive Intents in Results

Activities can also return intents having data to calling activity.

Activity can be started by using startActivityForResult, whose result can be obtained using onActivityResult handler.

Impact: Attacker app can get sensitive data from intent received from vulnerable app.

Mitigation: Ensure that calling activity is of expected package & classname only, use equals check instead of contains.

Implicit Intent Hijacking

Application can send intents implicitly or explicitly(full package name & classname), when victim application is sending intent containing sensitive information in a implicit way, Attacker application can register a intent-filter & hijack the sensitive information.

Impact: Attacker app can receive or send data from implicit intent of vulnerable app.

Mitigation: Don't use implicit intents to send/receive sensitive data, use explicit intents or other secure channel like SSL.

Mutable Pending Intent

In intent redirection vulnerability, we seen that attacker app was able to send a intent with non exported activity classname to exported activity of vulnerable app, which when processed by exported activity of vulnerable app is able to open non exported activity revealing sensitive data. This happens because exported activity accepts & process arbitrary intent from user to startActivity in context of vulnerable app.

When using PendingIntents, vulnerable app operates in context of calling activity i.e attacker app, thus preventing intent redirection.

But when insecure flags like PendingIntent.FLAG_MUTABLE|PendingIntent.FLAG_ALLOW_UNSAFE_IMPLICIT_INTENT are used when passing pending intent, the pending intent data can be modified by the receiver app.

Impact: PendingIntent data can be modified by attacker app, If vulnerable app sends pending data over insecure medium such as implicit intent.

Mitigations: Use immutable PendingIntent.

Deep Link Hijacking

Deep Link is a mechanism in android which allows application to intercept links to specific scheme, host, path as defined in application deep link activity's intent-filters in AndroidManifest.xml.

The sensitive data passed in deep link can be hijacked by malicious application by creating similar intent-filters to the vulnerable application leading to Deep Link Hijacking.

For Ex: Link when clicked from browser, user is redirected to app(io.hextree.attacksurface) which handles this particular deeplink.

Note: Chrome itself has intent:// scheme which can be used to launch custom intents for any exported activity having category android.intent.category.BROWSABLE from chrome. Ex: Clicking on link opens hextree attack surface app & sends extras to get flag 15.

Impact: Sensitive data of vulnerable app sent in deep links can be intercepted by maclicious app.

Mitigations: Do not use deep links to send sensitive data, Use App links or use chrome's intent:// scheme to craft explicit deep link providing package name & components.

Hijacking Android Web Links

Android Web Links are deep links with http/https schema without autoVerify attribute.

On Devices running Android 12 & higher web links are by default opened in browser, on previous versions web links can be opened by apps which register the host, path in their intent-filters similar to deep links, thus making it vulnerable to Web Link Hijacking similar to Deep Link Hijacking.

Android App Links

Android App Links are web links with autoVerify attribute set & also having valid /.well-known/assetlinks.json defined in their host website.

assetlinks.json file clearly tells android operating system which package names are allowed to open the specific app link.

But when the vulnerable app which originally opens the app link itself is not present in the device, but a malicious app which has similar intent-filters to vulnerable app is present in device, malicious app may hijack app links bypassing assetlinks.json verification in android 11 & below in some cases. This behaviour is better explained in fraunhofer article.