MASTG-BEST-0056: Use Explicit Intents for Internal IPC

Use explicit intents when communicating between components within the same app. An explicit intent specifies the target component directly by package name or class name, ensuring the intent can only be delivered to the intended recipient and can't be intercepted by a third-party app.

Java/Kotlin

Set the target package or component explicitly before sending the intent:

// Explicit by package — restricts delivery to your own app
val intent = Intent("com.example.app.PROCESS_DATA").apply {
    setPackage("com.example.app")
    putExtra("key", "value")
}
startActivity(intent)

// Explicit by component — the most restrictive form
val intent = Intent(context, TargetActivity::class.java).apply {
    putExtra("key", "value")
}
startActivity(intent)

Never send sensitive data (tokens, credentials, API keys) in an implicit intent. Any installed app that registers a matching <intent-filter> can receive the intent and all its extras.

Manifest Configuration

For internal components, ensure they are not inadvertently exposed to other applications. For detailed instructions on properly securing the AndroidManifest.xml, refer to Restrict Access to Android App Components.

Tests

MASTG-TEST-0373: Internal Component Unintentionally Exported MASTG-TEST-0374: References to Implicit Intents Carrying Sensitive Extras MASTG-TEST-0372: Implicit Intents Used for Internal App Communication MASTG-TEST-0375: Missing Validation of Data Returned from Implicit Intents