Security Checklist for Android Component Communication
This article outlines essential security checks for Android components—including Activity, WebView, BroadcastReceiver, Service, and ContentProvider—highlighting common vulnerabilities such as exported components, SSL handling, saved passwords, implicit intents, and unsafe broadcast APIs, and provides practical code examples and mitigation steps.
Background With increasing user privacy concerns and diverse transaction scenarios, security testing has become an indispensable part of mobile testing. Automated security scans are introduced to detect potential risks in Android applications.
Component Overview Android’s four core components are Activity, Service, ContentProvider, and BroadcastReceiver. Improper attribute settings in AndroidManifest.xml can expose these components to hijacking and exploitation.
Activity Security 1) When exported="true" , an Activity can be invoked by other apps via Intents, creating a risk. 2) Apps should verify the top Activity in the task stack and warn users if it belongs to an unknown app.
WebView Security 1) Do not ignore SSL certificate errors; avoid calling handler.proceed() in onReceivedSslError . 2) Disable password saving with WebView.getSettings().setSavePassword(false) . 3) Restrict use of addJavascriptInterface to API level 17+ and avoid exposing vulnerable interfaces.
BroadcastReceiver Security 1) For internal broadcasts, set exported="false" . 2) Use android:permission="com.android.permission.send_permission" with android:protectionLevel="signature" to limit external use. Example permission and receiver declaration: <permission android:name="com.android.permission.send_permission" android:protectionLevel="signature"/> <receiver android:name=".permittedReceiver" android:permission="com.android.permission.send_permission"> <intent-filter> <action android:name="com.android.permitted_ACTION"/> </intent-filter> </receiver> 3) Avoid using sticky broadcast APIs such as sendStickyBroadcast , which are known to be insecure.
Service and ContentProvider Security ContentProvider misconfigurations can lead to local database injection; ensure exported="false" or use protectionLevel="signature" for internal use only.
Implicit Intent Risks Implicit intents can be hijacked. Convert them to explicit intents and avoid exposing PendingIntents that contain implicit intents. Example of a risky PendingIntent: PendingIntent.getBroadcast(context, requestCode, new Intent("ACTION_NAME"), 0) should be replaced with an explicit component specification.
References are provided for each security check, linking to official Android developer documentation.
Baidu Intelligent Testing
Welcome to follow.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.