Intent Redirection
Intent Redirection
Description
An Android Intent redirection vulnerability occurs when an app sends an Intent (a messaging object used to request an action from another app component) to another component, but an attacker manipulates the Intent to redirect it to a malicious app or activity. This can lead to unauthorized access to app components.
import android.content.Intent;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
public class YourActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
// Get the Intent from the previous activity
Intent intent = getIntent();
Intent forward = intent.getParcelableExtra("key");
if (forward != null) {
startActivity(forward);
}
}
}
Recommendation
As a rule of thumb, it's best to avoid exposing functionality related to redirecting nested intents. However, if the situation demands, use the following strategies for mitigation:
- Check where the intent is being redirected.
- Use PendingIntent objects. This prevents your component from being exported and makes the target action intent immutable.
- Use IntentSanitizer to make a sanitized copy of an Intent
import android.content.Intent;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
public class YourActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
// Get the Intent from the previous activity
Intent intent = getIntent();
Intent forward = intent.getParcelableExtra("key");
ComponentName name = forward.resolveActivity(getPackageManager());
if (name.getPackageName().equals("safe_package") && name.getClassName().equals("safe_class")) {
startActivity(forward);
}
}
}
Links
Standards
- OWASP_MASVS_L1:
- MSTG_PLATFORM_2
- OWASP_MASVS_L2:
- MSTG_PLATFORM_2
- PCI_STANDARDS:
- REQ_2_2
- REQ_6_2
- REQ_6_3
- REQ_11_3