MASTG-BEST-0056: Use Explicit Intents for Internal IPC
Use explicit intents when communicating between components within the same app. An explicit intent specifies the target component directly by package name or class name, ensuring the intent can only be delivered to the intended recipient and can't be intercepted by a third-party app through normal intent resolution.
Java/Kotlin¶
Set the target package with Intent.setPackage or target a specific component before sending the intent:
// Explicit by package - restricts delivery to your own app
val intent = Intent("com.example.app.PROCESS_DATA").apply {
setPackage("com.example.app")
putExtra("key", "value")
}
startActivity(intent)
// Explicit by component - the most restrictive form
val intent = Intent(context, TargetActivity::class.java).apply {
putExtra("key", "value")
}
startActivity(intent)
Never send sensitive data (tokens, credentials, API keys) in an implicit intent. Android resolves implicit intents by matching installed apps that declare compatible <intent-filter> elements, so any matching app can become the selected recipient and receive the intent extras.
Manifest Configuration¶
For internal components, ensure they are not inadvertently exposed to other applications. For detailed instructions on properly securing the AndroidManifest.xml, refer to Restrict Access to Android App Components.
Tests¶
MASTG-TEST-0374: References to Implicit Intents Carrying Sensitive Extras MASTG-TEST-0372: Implicit Intents Used for Internal App Communication