Android users often face cybersecurity risks due to vulnerabilities in the internal components of popular apps. Recently, one such vulnerability was identified in the internal component called ‘Intents’.
Vulnerable Android ‘Intents’
Researchers were able to demonstrate that an Android application can be hacked by invoking its exposed Activity components by using ‘Intent’.
- In June 2020, researchers were able to hack sensitive data from Android apps via Android’s inter-process communication objects called ‘Intent’.
- Detailed information about any Android Application (including the declared Intents) can be obtained via the file AndroidManifest.xml (an application manifest file). With this, an attacker can obtain information about the series of exported Activities happening within the application.
- After knowing about the exported Activities, it is possible to send an ‘Intent’ to the exposed 'Activity' components (by using a root ADB shell), which would bypass the authentication requirements, thus leading to authentication bypass attacks.
Other ‘Intent’ flaws
There have been several occasions when bugs were found in Android app ‘Intent’.
- In November 2018, a flaw, tracked as CVE-2018-9581, was identified in Android app ‘Intents’, which could allow an attacker with physical proximity to a WiFi router to track the location of users within the router’s range.
- In August 2018, an API-breaking bug, CVE-2018-9489, was discovered in the Android app ‘Intents’, that could allow cyberattackers to covertly capture Wi-Fi broadcast data in order to track users.
According to some experts, applications should be developed using only export components, that are required to be exposed to other applications. These will help reduce the number of ‘Activities’ exposed in the application’s manifest file. Also, there must be a validation of all data received by the ‘Intents’ when communicating with other applications.