AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure API Usage - Implicit Intent Usage in PendingIntent

An unauthorized application may use permissions of a target application

Severity

High

Fix Cost

Low

Trust Level

Medium

Android supports Intents as the messages between components such as activities, services and broadcast receivers. When an original application gives away an Intent to another target application, the target application runs the operations specified inside the Intent with its own permissions.

There’s another kind of Intent which is called PendingIntents that can be used to transfer the original application permissions to the target application along with the Intent sent. This way the original application is granting to target application the right to perform the operation with the original application has specified and acquired, including the identity.

Therefore, the PendingIntents should not fall into the wrong hands according to the operation sensitivity included in the Intent. The PendingIntent may wrap explicit or implicit Intents and when a PendingIntent wraps an implicit Intent, it can be intercepted with unauthorized applications.

            
Intent intent = new Intent(ACTION_VIEW, Uri.parse("http://www.mybank.com/token/193avcAj3");
PendingIntent pendingIntent = PendingIntent.getBroadcast(this, 1, intent, 0);

// call the pendingintent in two seconds
AlarmManager alarmManager = (AlarmManager) getSystemService(ALARM_SERVICE);
alarmManager.set(AlarmManager.RTC_WAKEUP, System.currentTimeMillis() + 2000, pendingIntent);
                
            

The above code constructs an implicit Intent with sensitive data in it and wraps it with an PendingIntent which is broadcasted in 2 seconds with the permissions and identity of the original application.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!