Android Intents (1/2) how they work, security, and attack ex...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://mobeta-fr.translate.goog/android-intent-hijacking-pentest-mobile/
• Blog Title: Android Intents (1/2): how they work, security, and attack examples
• Suggested Section: Generic Methodologies & Resources / Pentesting Mobile / Android - Intents & WebView Abuse (Intent Hijacking, WebView XSS)

🎯 Content Summary

What the post covers (Android, Oct 14, 2025)
The article explains how Android Intents work, how component exposure is configured, and shows two attack classes that arise from Intent misuse: (1) insufficient input filtering via Intents leading to client-side and server-side bugs (e.g., WebView XSS, SQLi, RCE), and (2) Intent Hijacking by registering matching intent-filters to intercept sensitive flows. It includes runnable lab code and a practical workflow to observe Intent resolution ...

🔧 Technical Details

WebView XSS via Intent extras: Treat all incoming Intent data as untrusted. If an exported Activity reads an extra (e.g., getStringExtra("data")) and injects it into a WebView with JS enabled (setJavaScriptEnabled(true)) without sanitization, a malicious app can send HTML/JS via an Intent to achieve reflected XSS and drive arbitrary in-WebView actions.

Hijacking implicit Intents: To intercept sensitive flows, publish an app that declares the same <intent-filter> (action/category/data) as the legitimate receiver. When the OS resolver shows a chooser, user selection of the attacker app routes the payload (e.g., auth token) to the attacker instead of the intended app.

Attack-surface chaining: Even non-exported Activities can be impacted if an exported component launches them using attacker-controlled extras or data URIs. Validate all Intent-derived inputs and prefer explicit Intents for sensitive op...

🤖 Agent Actions

Updates implemented.

Actions taken:

• Researched and fetched the original blog content for precise technical details.
• Explored the repository and reviewed at least 5 relevant files to find the best fit:
  • src/mobile-pentesting/android-app-pentesting/intent-injection.md
  • src/mobile-pentesting/android-app-pentesting/webview-attacks.md
  • src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
  • src/mobile-pentesting/android-app-pentesting/README.md
  • src/mobile-pentesting/android-app-pentesting/android-task-hijacking.md
  • src/mobile-pentesting/android-checklist.md

What I added and where:

1. Intent Hijacking and resolver debugging

• File updated: src/mobile-pentesting/android-app-pentesting/intent-injection.md
• Additions:
  • New section “Intent Hijacking (implicit intents)” explaining how registering matching intent-filters can intercept sensitive flows, with a PoC manifest and handler skeleton; pentesting guidance and mitigations.
  • New section “Observing resolver decisions (FLAG_DEBUG_LOG_RESOLUTION)” with a code snippet and adb usage (-f 0x00000008) to trace how implicit intents are resolved in logcat.
  • Kept content aligned with HackTricks style and linked to developer mitigations (prefer explicit intents, permission-gated components, strict filters).
  • Added the Mobeta blog link and Android Intent reference to the References section.

2. WebView XSS via Intent extras and loadData

• File updated: src/mobile-pentesting/android-app-pentesting/webview-attacks.md
• Additions:
  • New section “WebView XSS via Intent extras → loadData()” detailing the vulnerable code pattern that reads from getIntent().getStringExtra(...) and calls loadData() with JavaScript enabled, adb PoC, impact, and mitigations. Linked back to Intent Injection page for related primitives.
  • Updated References to include the Mobeta blog URL.
  • Preserved existing structure and added the section right before the References block without altering other content.

Why these locations:

• intent-injection.md already covers intent-based abuses (deep links to WebView and redirection). It’s the most relevant place to add the Intent Hijacking technique and resolver debugging workflow.
• webview-attacks.md covers XSS and WebView risks. The blog introduces a practical pattern for reflected XSS via Intent extras and loadData which was not explicitly described, so I added that as a new subsection including code and adb PoC.

References added:

• https://mobeta.fr/android-intent-hijacking-pentest-mobile/ (in both updated pages)
• https://developer.android.com/reference/android/content/Intent (in intent-injection.md)

No new files created. All changes were made via modify_file and preserve the HackTricks formatting and banners.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://mobeta-fr.translate.goog/android-intent-hijacking-pentest-mobile/

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources / Pentesting Mobile / Android - Intents & WebView Abuse (Intent Hijacking, WebView XSS)".

Repository Maintenance:

• MD Files Formatting: 901 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge