Intent Spoofing on Android

Most competent web developers have learned a thing or two about how to handle cross-site scripting and cross-site request forgery, the two main attack vectors for compromising the front end of a web application. These attacks take advantage of the complexity of modern web browsers and some of the idiosyncracies of how they function in the presence of content and scripts from a multitude of mutually mistrustful origins. Likewise, smartphone platforms are complex and must handle the safe coexistence of many apps with varying levels of trust and permissions, and they have some quirks of their own that present challenges for security. But since smartphones are a newer and younger technology, the kinds of security vulnerabilities present on them are much less well understood than the analogous web vulnerabilities. In this post we’ll take a look at an attack vector that often comes up on Android, namely intent spoofing, and discuss how to write apps that are secure from it.

Read on