Skip to content

Intent redirection vulnerability in third-party SDK exposed ... #2114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+63 −1
Open

Intent redirection vulnerability in third-party SDK exposed ... #2114

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 63 additions & 1 deletion src/mobile-pentesting/android-app-pentesting/intent-injection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -285,6 +285,65 @@ Flags helpful for singleTask-style behavior
adb shell am start -n com.target/.ExportedActivity --activity-clear-task --activity-new-task
```

### Exported SDK proxy activity + `Intent.parseUri(..., URI_ALLOW_UNSAFE)` + provider grant abuse

A high-impact variant appears when a **third-party SDK adds an exported proxy Activity** in the **merged manifest** and that Activity turns attacker-controlled input into a new `Intent` that the victim app launches.

Common flow:
- Malicious app explicitly starts an **exported** Activity added by an SDK.
- The Activity reads an attacker-controlled extra/data field, sometimes wrapping it in JSON first.
- A field like `intent_uri` / `redirect_intent` / `n_intent_uri` is passed into `Intent.parseUri(...)`.
- The parsed result is later executed with `startActivity(...)`, `startService(...)`, or `sendBroadcast(...)` **under the victim app UID/permissions**.

High-risk indicators during review:
- SDK-added components visible only in the **merged** `AndroidManifest.xml`.
- `Intent.parseUri(untrusted, Intent.URI_ALLOW_UNSAFE)` on user-controlled strings.
- Code that appears to sanitize the parsed `Intent` (`setComponent(null)`, action checks, etc.) but **returns or launches a different explicit Intent**.
- Provider-related flags surviving the parse/forward chain:
- `FLAG_GRANT_READ_URI_PERMISSION`
- `FLAG_GRANT_WRITE_URI_PERMISSION`
- `FLAG_GRANT_PERSISTABLE_URI_PERMISSION`

Why this matters
- This is not only a generic redirect to another exported component. If the forwarded `Intent` points to a `content://` URI, the victim app can become the **confused deputy** that grants provider access on behalf of the attacker.
- With `URI_ALLOW_UNSAFE`, attacker-controlled `intent:` strings can preserve grant flags during parsing. If the target flow later accepts/takes the grant, the attacker may obtain **persistent** read/write access until the victim revokes it.
- In practice this can expose data reachable through providers that rely on the victim app identity or transient URI grants, including app-private files surfaced through `FileProvider`-style paths.

What to look for in code / Smali
- Exported Activity/Receiver/Service calling:
- `Intent.parseUri(...)`
- `startActivity(...)` / `startService(...)` / `sendBroadcast(...)`
- `setFlags(...)`, `addFlags(...)`, `getFlags()`
- `setComponent(null)` or `setPackage(null)` on one object while another `Intent` is actually returned/launched
- Parse-and-forward chains such as:
- incoming extra → JSON object → `intentUri` field → `Intent.parseUri(...)` → launch
- deep link / push payload / notification payload → helper method → explicit internal launch
- Manifest-merging surprises from dependencies:
```bash
# Inspect final exported components, not only the source manifest
apkanalyzer manifest print app.apk | grep -n -A4 -B2 'exported'
```

ADB testing ideas
```bash
# 1. Reach the exported proxy component directly
adb shell am start -n com.victim/.SdkProxyActivity \
--es payload '{"n_intent_uri":"intent:#Intent;action=android.intent.action.VIEW;S.browser_fallback_url=https://attacker.tld;end"}'

# 2. Test whether the app reparses an intent URI and launches an explicit internal target
adb shell am start -n com.victim/.SdkProxyActivity \
--es payload '{"n_intent_uri":"intent:#Intent;component=com.victim/.SensitiveActivity;end"}'

# 3. Probe provider-grant behaviour with content:// targets and grant flags
adb shell am start -n com.victim/.SdkProxyActivity \
--es payload '{"n_intent_uri":"intent:#Intent;action=android.intent.action.VIEW;data=content://com.victim.fileprovider/root/secret.xml;launchFlags=0x43;end"}'
```

Notes
- `0x43` is a compact test value for `FLAG_GRANT_READ_URI_PERMISSION` (`0x1`), `FLAG_GRANT_WRITE_URI_PERMISSION` (`0x2`), and `FLAG_GRANT_PERSISTABLE_URI_PERMISSION` (`0x40`).
- Exact extra names differ by app/SDK. During reversing, grep for `getStringExtra`, JSON field names, and helper methods that rebuild `Intent` objects from strings.
- If the vulnerable component comes from a dependency, always inspect the **merged manifest** generated after Gradle manifest merge, not only the developer-authored source manifest.

Real-world examples (impact varies):
- CVE-2024-26131 (Element Android): exported flows leading to WebView manipulation, PIN bypass, login hijack.
- CVE-2023-44121 (LG ThinQ Service): exported receiver action `com.lge.lms.things.notification.ACTION` → system-level effects.
Expand Down Expand Up @@ -392,6 +451,9 @@ This is useful to enumerate candidate handlers on a device/emulator and confirm
- [CVE-2020-14116 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-14116)
- [Android Intents (1/2): how they work, security, and attack examples – Mobeta](https://mobeta.fr/android-intent-hijacking-pentest-mobile/)
- [Android Intent reference](https://developer.android.com/reference/android/content/Intent)
- [Android docs – `URI_ALLOW_UNSAFE`](https://developer.android.com/reference/android/content/Intent#URI_ALLOW_UNSAFE)
- [Android docs – `FLAG_GRANT_PERSISTABLE_URI_PERMISSION`](https://developer.android.com/reference/android/content/Intent#FLAG_GRANT_PERSISTABLE_URI_PERMISSION)
- [Microsoft: Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk](https://www.microsoft.com/en-us/security/blog/2026/04/09/intent-redirection-vulnerability-third-party-sdk-android/)
- [CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)](https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/)
- [Unity docs – Android custom activity command-line](https://docs.unity3d.com/6000.0/Documentation/Manual/android-custom-activity-command-line.html)
- [Unity Security Sept-2025-01 advisory](https://unity.com/security/sept-2025-01)
Expand All @@ -401,4 +463,4 @@ This is useful to enumerate candidate handlers on a device/emulator and confirm
- [Android docs – Intents and Intent Filters](https://developer.android.com/guide/components/intents-filters)


{{#include ../../banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}