Skip to content

Intent Redirection

Intent Redirection

Description

An Android Intent redirection vulnerability occurs when an app sends an Intent (a messaging object used to request an action from another app component) to another component, but an attacker manipulates the Intent to redirect it to a malicious app or activity. This can lead to unauthorized access to app components.

import android.content.Intent;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;

public class YourActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        // Get the Intent from the previous activity
        Intent intent = getIntent();
        Intent forward = intent.getParcelableExtra("key");

        if (forward != null) {
            startActivity(forward);
        }
    }
}

Recommendation

As a rule of thumb, it's best to avoid exposing functionality related to redirecting nested intents. However, if the situation demands, use the following strategies for mitigation:

  • Check where the intent is being redirected.
  • Use PendingIntent objects. This prevents your component from being exported and makes the target action intent immutable.
  • Use IntentSanitizer to make a sanitized copy of an Intent
import android.content.Intent;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;

public class YourActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        // Get the Intent from the previous activity
        Intent intent = getIntent();
        Intent forward = intent.getParcelableExtra("key");
        ComponentName name = forward.resolveActivity(getPackageManager());
        if (name.getPackageName().equals("safe_package") && name.getClassName().equals("safe_class")) {
            startActivity(forward);
        }
    }
}

Standards

  • OWASP_MASVS_L1:
    • MSTG_PLATFORM_2
  • OWASP_MASVS_L2:
    • MSTG_PLATFORM_2
  • PCI_STANDARDS:
    • REQ_2_2
    • REQ_6_2
    • REQ_6_3
    • REQ_11_3
  • OWASP_MASVS_v2_1:
    • MASVS_CODE_4
  • SOC2_CONTROLS:
    • CC_2_1
    • CC_4_1
    • CC_7_1
    • CC_7_2
    • CC_7_4
    • CC_7_5