MASWE-0066: Intents Inseguros

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Placeholder Weakness

This weakness hasn't been created yet and it's a placeholder. But you can check its status or start working on it yourself. If the issue has not yet been assigned, you can request to be assigned to it and submit a PR with the new content for that weakness by following our guidelines.

Check our GitHub Issues for MASWE-0066

Initial Description or Hints

por exemplo, chamar startActivity, startService, sendBroadcast ou setResult em Intents não confiáveis sem validar ou sanitizar esses Intents. Usar um intent implícito para iniciar um serviço é um risco de segurança, porque você não pode ter certeza de qual serviço responderá ao intent e o usuário não pode ver qual serviço inicia. por exemplo, pending intents mutáveis (não usando FLAG_IMMUTABLE), repetindo pending intents (não usando FLAG_ONE_SHOT)

Relevant Topics

• Insecure Intent Redirection
• Insecure Implicit Intents
• Insecure Pending Intents (Mutable, Replaying)

References

• https://support.google.com/faqs/answer/9267555?hl=en
• https://developer.android.com/privacy-and-security/security-tips#intents
• https://developer.android.com/topic/security/risks/intent-redirection
• https://developer.android.com/topic/security/risks/implicit-intent-hijacking
• https://developer.android.com/topic/security/risks/pending-intent

MASTG v1 Coverage

No MASTG v1 tests are related to this weakness.