Intent redirection vulnerability in third-party SDK exposed ...#2114
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Intent redirection vulnerability in third-party SDK exposed ...#2114carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://www.microsoft.com/en-us/security/blog/2026/04/09/intent-redirection-vulnerability-third-party-sdk-android/ Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting -> Intent Injection (and/or add a subsection/page for Intent Redirection / Exported Components + Intent.parseUri URI_ALLOW_UNSAFE abuse, including content provider URI permission/persistable grant implications)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title/Context
Microsoft Defender Security Research identified a severe Android intent redirection vulnerability in a widely used third‑party Android SDK: EngageSDK (EngageLab). The issue enables a malicious app installed on the same device to coerce a vulnerable host app into launching attacker-controlled intents under the host app’s identity/permissions, potentially enabling access to private app data (PII, credentials, financial data), including vi...
🔧 Technical Details
If an Android app (or embedded SDK) exposes an
exportedActivity/Receiver/Service that accepts attacker-controlled extras/data and then forwards/dispatches a newIntentderived from that input, the attacker can “borrow” the victim app’s identity and permissions. The risk becomes severe when the forwarded intent is (a) explicit (targets a specific component/package) or (b) insufficiently validated, allowing cross-app privilege abuse and access to protected components.2) Unsafe parsing of intent URIs + URI permission grants can create persistent provider access
Using
Intent.parseUri(..., URI_ALLOW_UNSAFE)(URI_ALLOW_UNSAFE = 4) on attacker-controlled strings can allow inclusion of URI permission grant flags in the parsed intent. If the victim app then launches the intent (e.g.,startActivity()) and the target URI is a ...🤖 Agent Actions
I’m mapping the Android/mobile sections first, then I’ll read the existing intent/component documentation before deciding whether this needs a new subsection or a different file.
I found the obvious candidate files. Next I’m reading the existing Android IPC and intent pages plus nearby docs to avoid duplicating material and to match HackTricks style.
The current intent page already covers generic
Intent.parseUri(...)reparse bugs, but not the specific high-value pattern from this blog: exported proxy activity plusURI_ALLOW_UNSAFEgranting persistent content-provider access. I’m checking adjacent files and repo-wide mentions now.I’ve narrowed the update to a single file: intent-injection.md. Before editing, I’m checking the rest of that page for any existing section on
URI_ALLOW_UNSAFE, provider grant flags, or merged-manifest supply-chain patterns.I have enough context. I’m editing the existing intent page now, adding a focused subsection for exported SDK proxy components,
Intent.parseUri(..., URI_ALLOW_UNSAFE), and content-provider grant persistence, then I’ll verify the diff and resulting markdown.Updated intent-injection.md.
The addition is focused and non-duplicative: it documents the specific technique from the Microsoft post that HackTricks was missing, namely exported SDK-added proxy components in the merged manifest that parse attacker-controlled
intent:strings withIntent.parseUri(..., URI_ALLOW_UNSAFE)and preserve URI grant flags, enabling confused-deputy access tocontent://providers and potentially persistent provider access.I kept it in a single existing file, added concise hunting notes, ADB testing ideas, merged-manifest review guidance, and appended the Microsoft blog plus official Android references in the existing
## Referencessection. Verified withgit diffand a re-read of the modified section.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.