Intent verification
tip
Intent verification is currently still in Beta! Please provide feedback as an issue here
Intent verification is intended to provide a simple interface for you to protect against attacks on android 'Intents'. The types of vulnerabilities are often complex and subtle.
The basics​
The basics of the Safe to run intent verification service is to call .verify
on any intent.
For example:
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
setContentView(R.layout.activity_bouncable)
// Either do
if (intent.verify {
}) {
// Do something
} else {
// Report failure
}
// Or instead you can do
intent.verify {
actionOnSuccess = {
// Do something
}
actionOnFailure = {
// Report failure
}
}
}
Verify is locked down by default to disallow any URLs, and does not allow any 'containing' intents - that is, any intents within the bundle
Opening URLs​
By default, a bundle cannot contain any urls:
val intent = Intent().apply {
putStringExtra("url", "https://abc.com")
}
val result : Boolean = intent.verify { }
// Equals false
If you want to allow a specific host, you can do this:
val intent = Intent().apply {
putStringExtra("url", "https://abc.com?abc=def")
}
val result : Boolean = intent.verify {
"https://abc.com?abc=def".allowUrl()
}
// Equals true
The next best thing, is to white list the host:
val intent = Intent().apply {
putStringExtra("url", "https://abc.com?abc=def")
}
val result : Boolean = intent.verify {
"abc.com".allowHost()
}
// Equals true
The downside of this approach being that you're no longer entirely sure of the specific parameters that may be passed to your URL
The least recommended option is to allow all urls:
val intent = Intent().apply {
putStringExtra("url", "https://abc.com")
}
val result : Boolean = intent.verify {
allowAnyUrls = true
}
// Equals true