Intent Spoofing

Intent Spoofing

Risk: medium

Description

Intent Spoofing consists of sending an intent toward an application components (Exported Activity, Broadcast Receiver, Content Provider, Service) to achieve unauthorized access.

The access may to different objectives like unauthorized data modification and information leakage, untrusted input injection, etc.

Recommendation

To limit one's exposure to this type of attack, developers should avoid exporting components unless the component is specifically designed to handle requests from untrusted applications. Developers should be aware that declaring an intent filter will automatically export the component, exposing it to public access. Critical, state-changing actions should not be placed in exported components. If a single component handles both inter- and intra-application requests, the developer should consider dividing that component into separate components.

If a component must be exported (e.g., to receive system broadcasts), then the component should dynamically check the caller's identity prior to performing any operations. Requiring Signature or SignatureOrSystem permissions is an effective way of limiting a component's exposure to a set of trusted applications. Finally, the return values of exported components can also leak private data, so developers should check the caller's identity prior to returning sensitive values.

Links

• Do not act on malicious intent (CERT Secure Coding)
• Improper Access Control (CWE-284)
• Intent Spoof (CAPEC-502)
• Analyzing Inter-Application Communication in Android

Standards

• CWE_TOP_25:
  • CWE_276
• PCI_STANDARDS:
  • REQ_6_2
  • REQ_6_3
  • REQ_7_3
  • REQ_11_3