MASTG-TEST-0374: References to Implicit Intents Carrying Sensitive Extras

Overview

Sending sensitive data (such as authentication tokens, passwords, or personally identifiable information) as extras in an implicit intent is insecure. Implicit intents are resolved by the Android system and can be received by any app that registers a matching intent filter, exposing the sensitive data to unauthorized parties. Sensitive data should only be transmitted via explicit intents or other secure IPC mechanisms.

Steps

1. Use Reverse Engineering Android Apps to reverse engineer the app.
2. Use Static Analysis on Android to look for the relevant APIs.

Observation

The output should contain instances where an implicit Intent is populated with sensitive extras such as tokens, passwords, or personally identifiable information.

Evaluation

The test case fails if the app sends sensitive data via implicit intents.

Best Practices

MASTG-BEST-0056: Use Explicit Intents for Internal IPC