Intent Spoofing
Intent Spoofing
Description
Intent Spoofing consists of sending an intent toward an application components (Exported Activity, Broadcast Receiver, Content Provider, Service) to achieve unauthorized access.
The access may to different objectives like unauthorized data modification and information leakage, untrusted input injection, etc.
Recommendation
To limit one's exposure to this type of attack, consider the following recommendations:
- Avoid exporting components unless the component is specifically designed to handle requests from untrusted applications.
- Be aware that declaring an intent filter will automatically export the component, exposing it to public access.
- Avoid placing critical, state-changing actions in exported components.
- If a single component handles both inter-application and intra-application requests, the developer should consider dividing that component into separate components.
- If a component must be exported (e.g., to receive system broadcasts), then the component should dynamically check the caller's identity prior to performing any operations.
- Require Signature or SignatureOrSystem permissions to limit component's exposure to a set of trusted applications.
- Check the caller's identity prior to returning return values of exported components as they can leak private data.
Links
- Do not act on malicious intent (CERT Secure Coding)
- Improper Access Control (CWE-284)
- Intent Spoof (CAPEC-502)
- Analyzing Inter-Application Communication in Android
Standards
- CWE_TOP_25:
- CWE_276
- PCI_STANDARDS:
- REQ_6_2
- REQ_6_3
- REQ_7_3
- REQ_11_3
- SOC2_CONTROLS:
- CC_2_1
- CC_4_1
- CC_7_1
- CC_7_2
- CC_7_4
- CC_7_5