Port MASTG-TEST-0026: Testing Implicit Intents (android) (by Guardsquare)#3807
Open
serek8 wants to merge 16 commits into
Open
Port MASTG-TEST-0026: Testing Implicit Intents (android) (by Guardsquare)#3807serek8 wants to merge 16 commits into
serek8 wants to merge 16 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR ports the v1 “Testing Implicit Intents (Android)” content into the v2 structure by adding new Android v2 tests, supporting demos, best practices, and knowledge pages under the MASVS-CODE category.
Changes:
- Added four new v2 Android tests covering implicit-intent misuse patterns (internal IPC, unintended exports, sensitive extras, and unsafe intent results).
- Added a set of Android demos (including attacker-app companions) and tooling artifacts (Semgrep rules, Frooky hooks, outputs) to reproduce findings.
- Added three best practices and two knowledge pages to provide background and mitigation guidance for the new tests.
Reviewed changes
Copilot reviewed 45 out of 48 changed files in this pull request and generated 23 comments.
Show a summary per file
| File | Description |
|---|---|
| tests-beta/android/MASVS-CODE/MASTG-TEST-0x01.md | New test for implicit intents used for internal communication |
| tests-beta/android/MASVS-CODE/MASTG-TEST-0x02.md | New test for unintentionally exported internal components |
| tests-beta/android/MASVS-CODE/MASTG-TEST-0x03.md | New test for sensitive extras sent via implicit intents |
| tests-beta/android/MASVS-CODE/MASTG-TEST-0x04.md | New test for missing validation of data returned from implicit intents |
| knowledge/android/MASVS-CODE/MASTG-KNOW-0x01.md | Knowledge page describing implicit intents and intent resolution |
| knowledge/android/MASVS-CODE/MASTG-KNOW-0x02.md | Knowledge page covering URI schemes returned in intent results |
| best-practices/MASTG-BEST-0x01.md | Best practice recommending explicit intents for internal IPC |
| best-practices/MASTG-BEST-0x02.md | Best practice for sanitizing/validating data from external components |
| best-practices/MASTG-BEST-0x03.md | Best practice for controlling component export and access |
| demos/android/MASVS-CODE/MASTG-DEMO-0x01/MASTG-DEMO-0x01.md | Demo showing internal activity communication via implicit intent |
| demos/android/MASVS-CODE/MASTG-DEMO-0x01/MastgTest.kt | Kotlin sample implementing the vulnerable implicit-intent pattern |
| demos/android/MASVS-CODE/MASTG-DEMO-0x01/MastgTest_reversed.java | Reversed Java artifact for static analysis demo reproducibility |
| demos/android/MASVS-CODE/MASTG-DEMO-0x01/AndroidManifest.xml | Manifest snippet for the demo app |
| demos/android/MASVS-CODE/MASTG-DEMO-0x01/AndroidManifest_reversed.xml | Reversed manifest artifact for static analysis |
| demos/android/MASVS-CODE/MASTG-DEMO-0x01/rule.yaml | Custom Semgrep rule used by the demo |
| demos/android/MASVS-CODE/MASTG-DEMO-0x01/run.sh | Script to run the demo’s static analysis |
| demos/android/MASVS-CODE/MASTG-DEMO-0x01/output.txt | Captured Semgrep output for the demo |
| demos/android/MASVS-CODE/MASTG-DEMO-0x01/implicit-intent-choose-app.png | Screenshot illustrating the chooser dialog behavior |
| demos/android/MASVS-CODE/MASTG-DEMO-0x02/MASTG-DEMO-0x02.md | Demo to detect exported activities via Semgrep on manifest |
| demos/android/MASVS-CODE/MASTG-DEMO-0x02/rule.yaml | Custom Semgrep rule to flag exported activities |
| demos/android/MASVS-CODE/MASTG-DEMO-0x02/run.sh | Script to run the exported-activity rule |
| demos/android/MASVS-CODE/MASTG-DEMO-0x02/output.txt | Captured Semgrep output for exported-activity findings |
| demos/android/MASVS-CODE/MASTG-DEMO-0x03/MASTG-DEMO-0x03.md | Demo showing sensitive extras leaked via implicit intents |
| demos/android/MASVS-CODE/MASTG-DEMO-0x03/rule.yaml | Custom Semgrep rule to flag implicit intents with extras |
| demos/android/MASVS-CODE/MASTG-DEMO-0x03/run.sh | Script to run the extras-leak rule |
| demos/android/MASVS-CODE/MASTG-DEMO-0x03/output.txt | Captured Semgrep output for the extras-leak demo |
| demos/android/MASVS-CODE/MASTG-DEMO-0x04/MASTG-DEMO-0x04.md | Dynamic demo showing path traversal via malicious display name |
| demos/android/MASVS-CODE/MASTG-DEMO-0x04/MastgTest.kt | Kotlin sample implementing the vulnerable onActivityResult flow |
| demos/android/MASVS-CODE/MASTG-DEMO-0x04/AndroidManifest.xml | Manifest snippet for the victim demo app |
| demos/android/MASVS-CODE/MASTG-DEMO-0x04/hooks.json | Frooky hooks for runtime interception of file APIs |
| demos/android/MASVS-CODE/MASTG-DEMO-0x04/run.sh | Script to run Frooky instrumentation |
| demos/android/MASVS-CODE/MASTG-DEMO-0x04/output.json | Captured Frooky output (NDJSON) for evaluation |
| demos/android/MASVS-CODE/MASTG-DEMO-0x05/MASTG-DEMO-0x05.md | Attacker companion app demo for intercepting internal implicit intents |
| demos/android/MASVS-CODE/MASTG-DEMO-0x05/MastgTest.kt | Kotlin code for attacker activity that displays intercepted extras |
| demos/android/MASVS-CODE/MASTG-DEMO-0x05/AndroidManifest.xml | Attacker app manifest declaring intent-filter for interception |
| demos/android/MASVS-CODE/MASTG-DEMO-0x05/rule.yaml | Custom Semgrep rule to detect custom action registration |
| demos/android/MASVS-CODE/MASTG-DEMO-0x05/run.sh | Script to run attacker-app manifest rule |
| demos/android/MASVS-CODE/MASTG-DEMO-0x05/output.txt | Captured Semgrep output for attacker-app manifest |
| demos/android/MASVS-CODE/MASTG-DEMO-0x05/config.yml | Demo config file for attacker app |
| demos/android/MASVS-CODE/MASTG-DEMO-0x06/MASTG-DEMO-0x06.md | Attacker companion app demo for malicious ContentProvider filename |
| demos/android/MASVS-CODE/MASTG-DEMO-0x06/MastgTest.kt | Kotlin code for attacker activity/provider returning malicious metadata |
| demos/android/MASVS-CODE/MASTG-DEMO-0x06/AndroidManifest.xml | Attacker app manifest exporting a ContentProvider |
| demos/android/MASVS-CODE/MASTG-DEMO-0x06/rule.yaml | Custom Semgrep rule to detect exported ContentProvider |
| demos/android/MASVS-CODE/MASTG-DEMO-0x06/run.sh | Script to run exported-provider manifest rule |
| demos/android/MASVS-CODE/MASTG-DEMO-0x06/output.txt | Captured Semgrep output for exported-provider finding |
| demos/android/MASVS-CODE/MASTG-DEMO-0x06/config.yml | Demo config file for attacker app |
cpholguera
reviewed
May 25, 2026
cpholguera
reviewed
May 25, 2026
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
cpholguera
reviewed
May 29, 2026
| title: Internal Activity Communication via Implicit Intent | ||
| platform: android | ||
| code: [kotlin, xml] | ||
| kind: fail |
Collaborator
There was a problem hiding this comment.
Please add test: everywhere.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR closes #2997
This PR focuses on testing the use of implicit intents. In this PR I used extensively #3271.
Tests:
Demos:
Best Practices:
Knowledge Base:
AI Tool Disclosure
I created this PR with guided Gemini agent. Let's see how it compares against Copilot.
This contribution includes AI-generated content.
TODO