Implicit intent hijacking
Stay organized with collections
Save and categorize content based on your preferences.
OWASP category: MASVS-PLATFORM: Platform Interaction
Overview
The implicit intent hijacking vulnerability occurs when an application does
not specify a fully-qualified component class name or package when invoking an
intent. This allows a malicious application to register an intent filter to
intercept the intent instead of the intended application.
Depending on the intent content, attackers could read or modify sensitive
information or interact with mutable objects, such as mutable
PendingIntents or Binders.
Hijacking an implicit intent can also allow an attacker to perform arbitrary
actions such as launching attacker-controlled components.
Impact
If an implicit intent handling sensitive data passes a session token within an
extra URL string to open a WebView, any application specifying the proper intent
filters can read this token. This can allow any properly-configured application
on the device to intercept the intent and read the sensitive data within,
allowing attackers to exfiltrate data such as PII or session tokens.
Mitigations
Unless the application requires it, make intents explicit by calling
setPackage(). This allows the intent to be interpreted only by a specific
component (either in-app or from other applications), preventing untrusted
applications from intercepting the data sent along with the intent. The
following snippet shows how to make an intent explicit:
Kotlin
val intent = Intent("android.intent.action.CREATE_DOCUMENT").apply {
addCategory("android.intent.category.OPENABLE")
setPackage("com.some.packagename")
setType("*/*")
putExtra("android.intent.extra.LOCAL_ONLY", true)
putExtra("android.intent.extra.TITLE", "Some Title")
}
startActivity(intent)
Java
Intent intent = new Intent("android.intent.action.CREATE_DOCUMENT");
intent.addCategory("android.intent.category.OPENABLE");
intent.setPackage("com.some.packagename");
intent.setType("*/*");
intent.putExtra("android.intent.extra.LOCAL_ONLY", true);
intent.putExtra("android.intent.extra.TITLE", "Some Title");
startActivity(intent);
If you need to use implicit intents, omit any sensitive information or mutable
objects that you don't want to expose. Implicit intents may need to be used when
an app does not have exact knowledge about which app will resolve the action
(e.g. composing an email, taking a picture, etc.).
Resources
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2024-09-24 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-09-24 UTC."],[],[],null,["# Implicit intent hijacking\n\n\u003cbr /\u003e\n\n**OWASP category:** [MASVS-PLATFORM: Platform Interaction](https://mas.owasp.org/MASVS/09-MASVS-PLATFORM)\n\nOverview\n--------\n\nThe [implicit intent](/guide/components/intents-filters#Types) hijacking vulnerability occurs when an application does\nnot specify a fully-qualified component class name or package when invoking an\nintent. This allows a malicious application to register an intent filter to\nintercept the intent instead of the intended application.\n\nDepending on the intent content, attackers could read or modify sensitive\ninformation or interact with mutable objects, such as [mutable](/reference/android/app/PendingIntent#FLAG_MUTABLE)\n[PendingIntents](/reference/android/app/PendingIntent) or [Binders](/reference/android/os/Binder).\n\nHijacking an implicit intent can also allow an attacker to perform arbitrary\nactions such as launching attacker-controlled components.\n\nImpact\n------\n\nIf an implicit intent handling sensitive data passes a session token within an\nextra URL string to open a WebView, any application specifying the proper intent\nfilters can read this token. This can allow any properly-configured application\non the device to intercept the intent and read the sensitive data within,\nallowing attackers to exfiltrate data such as PII or session tokens.\n\nMitigations\n-----------\n\nUnless the application requires it, make intents explicit by calling\n`setPackage()`. This allows the intent to be interpreted only by a specific\ncomponent (either in-app or from other applications), preventing untrusted\napplications from intercepting the data sent along with the intent. The\nfollowing snippet shows how to make an intent explicit: \n\n### Kotlin\n\n val intent = Intent(\"android.intent.action.CREATE_DOCUMENT\").apply {\n addCategory(\"android.intent.category.OPENABLE\")\n setPackage(\"com.some.packagename\")\n setType(\"*/*\")\n putExtra(\"android.intent.extra.LOCAL_ONLY\", true)\n putExtra(\"android.intent.extra.TITLE\", \"Some Title\")\n }\n startActivity(intent)\n\n### Java\n\n Intent intent = new Intent(\"android.intent.action.CREATE_DOCUMENT\");\n intent.addCategory(\"android.intent.category.OPENABLE\");\n intent.setPackage(\"com.some.packagename\");\n intent.setType(\"*/*\");\n intent.putExtra(\"android.intent.extra.LOCAL_ONLY\", true);\n intent.putExtra(\"android.intent.extra.TITLE\", \"Some Title\");\n startActivity(intent);\n\nIf you need to use implicit intents, omit any sensitive information or mutable\nobjects that you don't want to expose. Implicit intents may need to be used when\nan app does not have exact knowledge about which app will resolve the action\n(e.g. composing an email, taking a picture, etc.).\n\nResources\n---------\n\n- [Manifest intent-filter element](/guide/topics/manifest/intent-filter-element)\n- [Privileged Permission Allowlisting](https://source.android.com/devices/tech/config/perms-allowlist)\n- [Intents and Intent filters](/guide/components/intents-filters)\n- [Forcing chooser for implicit intents](/guide/components/intents-filters#ForceChooser)\n- [Common implicit intents](/guide/components/intents-common)"]]
