Protecting extra data in Android Intent

Question

I'm using an Intent to start a new Activity in a new task. This Intent carries some private data needed by that Activity in its extras. This data should not be readable by other applications. We've investigated whether this data is indeed not leaked. We found out that by using RecentTaskInfo from getRecentTasks() this extra data is readable by any arbitrary application that has GET_TASK permission. This is not very secure. We've stopped searching once we found this leak. Are there more ways this data is leaked? And, how can I ensure the data in the extra is not readable by other applications?

Answer 1

Starting from Android 4.1.1 an additional permission was added to guard extra's being read by third party apps using the RecentTaskInfo. This permission (android.Manifest.permission.GET_DETAILED_TASKS) can only be acquired by the system. Without this permission, the extra's will be swapped out before the baseIntent is returned via the RecentTaskInfo.

From the comment of commit http://androidxref.com/4.2.2_r1/history/frameworks/base/services/java/com/android/server/am/ActivityManagerService.java#8238e717df4bc5eebf15f97172d68af3599a95bb:

Add new signature-level permission to get details of tasks.

Third party apps now can't get access to the extras of the intents associated with tasks, to keep private data in them from leaking out.

Change-Id: I95af9e181ac42557bc8b981807e7ddd266a88d0e

So it seems that effort is being put into making intent extra's safer to transport sensitive information. I don't know if there are other ways in which these extra can leak, but at least the extra's seem OK from JB up.

Answer 2

This Intent carries some private data needed by that Activity in its extras

Why? Pass identifiers to private data in extras, where resolving those identifiers into that private data (e.g., database query) can only be done by the activity.

We found out that by using RecentTaskInfo from getRecentTasks() this extra data is readable by any arbitrary application that has GET_TASK permission

Yes, I blogged about this nearly two years ago, and others probably did even before that.

Are there more ways this data is leaked?

All requests to start other components go by way of an OS process, and so the data is "leaked" to the OS all of the time.

And, depending on what you do with the Intent, you might leak it in other ways (e.g., pass an Intent itself, as a Parcelable, to other apps).

And, how can I ensure the data in the extra is not readable by other applications?

You can't. Again, do not put private data in activity extras, but instead use identifiers that can be used to get that private data.