Balázs is a software engineer skilled in software architectural design, mobile security, effective product development and agile methodologies. His passion is creating intuitive, experience-focused user interfaces. He is always hungry for more knowledge and happy to share what he learns with others. He likes mentoring and being an enabler in a team. He is a co-organizer of the Android Budapest meetup group. Outside of work he enjoys cycling, photography, cars and coffee.
Balázs Gerlei
Senior Mobile Software Engineer @ Nevis Security
Don’t let attackers exploit your app via Intents
Intents are the starting points for every Android application. The platform is very much built on Activities, potentially from different apps interacting with each other to complete some tasks. This open nature can be an avenue for exploitation.
You have to consider Intents what they are: inputs. And inputs must be sanitized. With this mentality, you can protect against many attacks, but some can only be avoided with the right architecture and platform support. Google finally made strides in this area with Android 15’s safer Intents. At the same time, you need to understand the attack surface to defend your apps.
We will describe and demonstrate such issues:
- Privilege escalation via Intent redirection
- Denial-of-service via malformed Intents
- Leaking data via Intent parameter injection
- App impersonation via Task hijacking (StrandHogg)
At the end of the talk, you will have an understanding of mitigating and remediating many Intent-based Android vulnerabilities.