Check Activities

Typically in Android applications an Activity is a ‘Screen’ in an app.

Details

An Activity can be invoked by any application if it is exported and enabled. This could allow an attacker to load UI elements in a way the developer may not intend, such as jumping past a password lock screen to access data or functionality. By default Activities are not exported, however, if you define an Intent filter for an Activity it will be exported by the system.

Remediation

Activities can ensure proper behavior by checking internal app state to verify they are ready to load. For example, first see if the app is in the “unlocked” state and if not jump back to the lock screen. Regardless of what Intent filters are defined, exported/enabled Activities can be directly invoked with unsanitized data, so input validation is recommended when operating on data provided by an untrusted source.

Sample Code of passing intent extra ID instead of the whole object.

  1. //bad passing the whole paracable object
  2. public static Intent getStartingIntent(Context context,
  3.         User user) {
  4.     Intent i = new Intent(context, UserDetailsActivity.class);
  5.     i.putExtra(EXTRA_USER, user);
  6.     return i;
  7. }
  9. //better to pass just the ID to lookup the user details
  10. public static Intent getStartingIntent(Context context,
  11.         String userId) {
  12.     Intent i = new Intent(context, UserDetailsActivity.class);
  13.     i.putExtra(EXTRA_USER_ID, userId);
  14.   return i;
  15. }

Avoid intent filters on Activities if they are private, instead use explicit intent.

  1. <activity
  2.     android:name="com.app.YourActivity"
  3.     android:label="@string/app_name"
  4.     android:excludeFromRecents="true"
  5.     android:exported="false" >
  6. </activity>

References

CWE/OWASP