Exposed Sensitive Android Intent

Exposed Sensitive Android Intent

Overview of the Vulnerability

An Intent is a messaging object used within an Android application to request action from a different component of the application. When a request occurs and information is retrieved, a lack of validation can result in access controls being bypassed and sensitive information being leaked. The application has an exposed sensitive Android Intent which an attacker can query to gather sensitive information from the application which they could use to perform further attacks on the application, the business, or its users.

Business Impact

This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to navigate to: {{URL}}

3. Login to an account that should not be able to perform {{action}}

4. Forward the following request to the endpoint:

{{request}}

1. Observe that the account now has additional user functionality and access to data it was previously not authorized to access

Proof of Concept (PoC)

The screenshot below demonstrates the broken access control:

{{screenshot}}

Recommendation(s)

Broken access controls can be remediated by implementing a handful of best practices relating to authentication and session management to ensure secure implementation. These include:

• Ensuring that access controls are designed thoroughly upfront and that each request goes through some form of access control check. By default, specific requests that are not explicitly allowed should be denied.

• All users, programs and processes should follow the principle of least privilege and only be given as little access as possible in order to complete their business functions.

• An application’s code should not contain any hardcoded roles as these can become fragile and difficult to enforce and audit.

For more information, refer to the following resources:

• https://owasp.org/www-project-proactive-controls/v3/en/c7-enforce-access-controls

• https://cwe.mitre.org/data/definitions/200.html

• https://portswigger.net/web-security/access-control