Home » Android » android – How to secure Intent data while sending it across applications

android – How to secure Intent data while sending it across applications

Posted by: admin May 14, 2020 Leave a comment

Questions:

I am working on the security aspects of my android application.

I would like to know about the ways to secure the Intent data and extras while sending it from one application to another so that no other application other than these two can snoop it.

One of the brute-force approaches would be to use android’s encryption-decryption to encode intent data, is there a better way to achieve the same ??

Thanks in advance.

How to&Answers:

As pointed in the other answers, although you can send an Intent to a fully qualified Activity, nothing prevents someone to create an application with the same package.

You might want to add an additional security step to this scheme:

  • First send a ‘Challenge’ intent to the remote activity (it should, for example crypt a random string you provided using a shared passphrase and send it back to you)

  • If that first security step is ok, you may freely send unencrypted messages to this remote app by using its fully qualified activity.

This is quite lame security put it’s perhaps sufficient for your needs.


Please take a look at CommonsWare comment below.

One more secure way might be to code your activity as a Bound Service, keeping the Challenge step, but inside a more private communication mean.

Answer:

My guess is that if you use an explicit intent, i.e. specifying the class to which the intent is to be sent to, then no other class can intercept that intent and look at its data.
This method however, may fail if the class name in the application that you’re trying to send the information to changes.

Answer:

If an intent specifies the the target, which is part of the sender application’s package, then other applications won’t have the chance to capture it, it will be delivered to the intended receiver.

On the other hand, if you send an intent to an other application, there is no guarantie that the receiver of the intent will be the implementation you expect: if you send your intent to com.mycompany.security.SecureReceiver, but instead of your application, another application is installed with the given class description, than you will send your intent to that application.

Also Android is an open system. If someone compiles his own application framework, than he can manipulate the Intent delivery system.

Do you want to protect your data from the user, or from malicious applications?