OWASP category: MASVS-PLATFORM: Platform Interaction
Overview
The implicit Intent hijacking vulnerability occurs when an application does not specify a fully-qualified component class name or package when invoking an intent. This allows a malicious application to register an intent filter to intercept the intent instead of the intended application.
Depending on the intent content, attackers could read sensitive information or interact with mutable objects, such as mutable PendingIntents or Binders.
Impact
Hijacking an Implicit Intent allows an attacker to read or modify the content of the intent, as well as intercept the intent to perform an action. This could have consequences such as leaking sensitive information/data or launching of attacker-controlled components.
Mitigations
Make intents explicit by calling setPackage()
, as shown in the following code
snippet:
Kotlin
val intent = Intent("android.intent.action.CREATE_DOCUMENT").apply {
addCategory("android.intent.category.OPENABLE")
setPackage("com.some.packagename")
setType("*/*")
putExtra("android.intent.extra.LOCAL_ONLY", true)
putExtra("android.intent.extra.TITLE", "Some Title")
}
startActivity(intent)
Java
Intent intent = new Intent("android.intent.action.CREATE_DOCUMENT");
intent.addCategory("android.intent.category.OPENABLE");
intent.setPackage("com.some.packagename");
intent.setType("*/*");
intent.putExtra("android.intent.extra.LOCAL_ONLY", true);
intent.putExtra("android.intent.extra.TITLE", "Some Title");
startActivity(intent);
If you need to use implicit intents, omit any sensitive information or mutable objects that you don't want to expose. Implicit intents may need to be used when an app does not have exact knowledge about which app will resolve the action (e.g. composing an email, taking a picture, etc.).