Reputation: 16837
Android - avoiding intent sniffing
I am trying to understand the statement made by via forensics on this page:
When an activity is started by another application using a Broadcast Intent the data passed in the Intent can be read by a malicious app. The malicious app can also read a list of recent Intents for an application. For example, when the Android Web browser is invoked by an app which passes it a URL, that URL can be sniffed.
It is recommended that sensitive data should not be passed between apps using Broadcast Intents.
My questions are :
1) How can an activity be started using broadcast intent ?
2) How does malicious application read list of recent intents for an application ?
Upvotes: 3
Views: 1270
Answers (1)
Reputation: 13223
1) How can an activity be started using broadcast intent ?
You send an explicit Intent that matches the IntentFilter of the target Activity
2) How does malicious application read list of recent intents for an application ?
I do not know if you can get a list, but a malicious app can simply use the same IntentFilters as the non-malicious app and sniff your Intents.
Upvotes: 2
Related Questions
- Capturing/Intercepting Android Intents during runtime
- Receiving intent from activity
- How can I intercept the Intent when the user open another application?
- Intercept Android's explicit intents
- Protect against Intent Interception
- Possible to bypass Android Intent Filter?
- Implicit intent call scan
- Android - Intent Filter?
- How to monitor/sniff Intents systemwide?
- Is it possible to prevent an Intent from proceeding ("eat" the Intent)?