MASTG-TEST-0372: Implicit Intents Used for Internal App Communication

Overview

Using implicit intents for communication between components within the same application introduces a risk of intent hijacking. The Android system resolves implicit intents by identifying all activities that can handle the specified action, which may include third-party applications. If multiple apps register for the same action, the system may present a resolver dialog, potentially leading a user to accidentally select a malicious app. This can result in sensitive data leakage or unauthorized actions. For internal communication, explicit intents should be used to target specific components directly, bypassing the system's resolution process.

Steps

1. Use Reverse Engineering Android Apps to reverse engineer the app.
2. Use Static Analysis on Android to look for the relevant APIs.

Observation

The output should contain instances where an Intent is initialized and used without specifying a target component or package.

Evaluation

The test case fails if the app uses implicit intents for internal communication.

Best Practices

MASTG-BEST-0056: Use Explicit Intents for Internal IPC

Demos

MASTG-DEMO-0140: Attacker App Registering for Internal Implicit Intent