Intent verification

Intents are the gateway to your application, whether for sharing files or opening links - you can never know where the intent is coming from - but you can make sure the intents aren't malicious

Intent verification is currently still in Beta! Please provide feedback as an issue here

Intent verification is intended to provide a simple interface for you to protect against attacks on android 'Intents'. The types of vulnerabilities are often complex and subtle.

The basics​

The basics of the Safe to run intent verification service is to call .verify on any intent.

For example:

override fun onCreate(savedInstanceState: Bundle?) {         
    super.onCreate(savedInstanceState)
    setContentView(R.layout.activity_bouncable)    
    // Either do    
    if (intent.verify {}) {        
        // Do something
    } else { 
        // Report failure
    }   
     // Or instead you can do     
    intent.verify {
        actionOnSuccess = {         
               // Do something
       }
        
       actionOnFailure = {
            // Report failure
        }
    }
}

Verify is locked down by default to disallow any URLs, and does not allow any 'containing' intents - that is, any intents within the bundle

Opening URLs​

By default, a bundle cannot contain any urls:

val intent = Intent().apply {    
    putStringExtra("url", "https://abc.com")
}

val result : Boolean = intent.verify { } // Equals false

If you want to allow a specific host, you can do this:

val intent = Intent().apply {    
    putStringExtra("url", "https://abc.com?abc=def")
}

// Equals true 
val result : Boolean = intent.verify {
    urlConfig {
        "https://abc.com?abc=def".allowUrl()
    }
}

The next best thing, is to white list the host:

val intent = Intent().apply {   
    putStringExtra("url", "https://abc.com?abc=def")
}

// Equals true 
val result : Boolean = intent.verify {    
    urlConfig {
        "abc.com".allowHost()
    }
}

The downside of this approach being that you're no longer entirely sure of the specific parameters that may be passed to your URL

The least recommended option is to allow all urls:

val intent = Intent().apply {
    putStringExtra("url", "https://abc.com")
}

// Equals true 
val result : Boolean = intent.verify {
    urlConfig {
        allowAnyUrls = true
    }
}
PreviousFile verificationNextURL verification

Last updated