Overview
Explore the intricacies of Android intents and their security implications in this 39-minute conference talk from AppSecEU 2014. Delve into how intents enable interprocess communications and collaboration, while also introducing potential vulnerabilities such as spoofing, hijacking, and data theft. Learn about the defensive approaches needed to secure intents properly, including validating assumptions and implementing old techniques in new ways. Gain insights into intent functionality under the hood, best practices for securing your intents, and strategies for developing more secure Android applications. Aimed primarily at app developers, this talk by Andrew Lee-Thorp, a Senior Consultant at Cigital Ltd, covers topics like explicit and implicit intents, intent filters, permissions, and practical examples of both vulnerable and secure implementations.
Syllabus
Introduction
About me
About you
Quick primer
Intent
Intent Example
Explicit Intent
Implicit Intent
Intent Filters
Intense
Permissions
Rules
Export
Uncertainty
Same old same old
Empty intent
Verify origin
Use explicit intents
Local Broadcast Manager
Unauthorized Intent Recipient
Sequel Injection
Avoid Sending Sensitive Data
Example
The standard behavior
Example Bad App
Example Good App
The Fix
Summary
Custom permissions
Push notifications
Taught by
OWASP Foundation