Potentially Intent Spoofing

Description

The application is vulnerable to intent spoofing which could result in the access and exploitation of unauthorized components.

Recommendation

It is recommended to apply proper input validation and parameter filtering on intent action.

Technical details
[TAINT] String 'com.android.launcher.action.INSTALL_SHORTCUT' ==>>> Sink '['Landroid/content/Intent;', '<init>', '(Ljava/lang/String;)V', '0', 'IPC_SINK']' [[('Landroidx/core/content/pm/ShortcutManagerCompat;', 'requestPinShortcut', '(Landroid/content/Context; Landroidx/core/content/pm/ShortcutInfoCompat; Landroid/content/IntentSender;)Z'), ('Landroidx/core/content/pm/ShortcutManagerCompat;', 'isRequestPinShortcutSupported', '(Landroid/content/Context;)Z'), ('Landroid/content/Intent;', '<init>', '(Ljava/lang/String;)V')]]

Use of a string value com.android.launcher.action.INSTALL_SHORTCUT to construct an Intent

Method androidx.core.content.pm.ShortcutManagerCompat.requestPinShortcut():


    public static boolean requestPinShortcut(android.content.Context p10, androidx.core.content.pm.ShortcutInfoCompat p11, android.content.IntentSender p12)
    {
        if (android.os.Build$VERSION.SDK_INT < 26) {
            if (androidx.core.content.pm.ShortcutManagerCompat.isRequestPinShortcutSupported(p10)) {
                android.content.Intent v3 = p11.addToIntent(new android.content.Intent("com.android.launcher.action.INSTALL_SHORTCUT"));
                if (p12 != null) {
                    p10.sendOrderedBroadcast(v3, 0, new androidx.core.content.pm.ShortcutManagerCompat$1(p12), 0, -1, 0, 0);
                    return 1;
                } else {
                    p10.sendBroadcast(v3);
                    return 1;
                }
            } else {
                return 0;
            }
        } else {
            return ((android.content.pm.ShortcutManager) p10.getSystemService(android.content.pm.ShortcutManager)).requestPinShortcut(p11.toShortcutInfo(), p12);
        }
    }

Method androidx.core.content.pm.ShortcutManagerCompat.isRequestPinShortcutSupported():


    public static boolean isRequestPinShortcutSupported(android.content.Context p3)
    {
        if (android.os.Build$VERSION.SDK_INT < 26) {
            if (androidx.core.content.ContextCompat.checkSelfPermission(p3, "com.android.launcher.permission.INSTALL_SHORTCUT") == 0) {
                int v3_2 = p3.getPackageManager().queryBroadcastReceivers(new android.content.Intent("com.android.launcher.action.INSTALL_SHORTCUT"), 0).iterator();
                while (v3_2.hasNext()) {
                    boolean v0_7 = ((android.content.pm.ResolveInfo) v3_2.next()).activityInfo.permission;
                    if ((android.text.TextUtils.isEmpty(v0_7)) || ("com.android.launcher.permission.INSTALL_SHORTCUT".equals(v0_7))) {
                        return 1;
                    }
                }
                return 0;
            } else {
                return 0;
            }
        } else {
            return ((android.content.pm.ShortcutManager) p3.getSystemService(android.content.pm.ShortcutManager)).isRequestPinShortcutSupported();
        }
    }

Method android.content.Intent.<init>() not found.

[TAINT] String 'com.android.launcher.action.INSTALL_SHORTCUT' ==>>> Sink '['Landroid/content/Intent;', '<init>', '(Ljava/lang/String;)V', '0', 'IPC_SINK']' [[('Landroidx/core/content/pm/ShortcutManagerCompat;', 'isRequestPinShortcutSupported', '(Landroid/content/Context;)Z'), ('Landroid/content/Intent;', '<init>', '(Ljava/lang/String;)V')]]

Use of a string value com.android.launcher.action.INSTALL_SHORTCUT to construct an Intent

Method androidx.core.content.pm.ShortcutManagerCompat.isRequestPinShortcutSupported():


    public static boolean isRequestPinShortcutSupported(android.content.Context p3)
    {
        if (android.os.Build$VERSION.SDK_INT < 26) {
            if (androidx.core.content.ContextCompat.checkSelfPermission(p3, "com.android.launcher.permission.INSTALL_SHORTCUT") == 0) {
                int v3_2 = p3.getPackageManager().queryBroadcastReceivers(new android.content.Intent("com.android.launcher.action.INSTALL_SHORTCUT"), 0).iterator();
                while (v3_2.hasNext()) {
                    boolean v0_7 = ((android.content.pm.ResolveInfo) v3_2.next()).activityInfo.permission;
                    if ((android.text.TextUtils.isEmpty(v0_7)) || ("com.android.launcher.permission.INSTALL_SHORTCUT".equals(v0_7))) {
                        return 1;
                    }
                }
                return 0;
            } else {
                return 0;
            }
        } else {
            return ((android.content.pm.ShortcutManager) p3.getSystemService(android.content.pm.ShortcutManager)).isRequestPinShortcutSupported();
        }
    }

Method android.content.Intent.<init>() not found.

[TAINT] String 'androidx.core.app.EXTRA_CALLING_PACKAGE' ==>>> Sink '['Landroid/content/Intent;', 'putExtra', '(Ljava/lang/String; Ljava/lang/String;)Landroid/content/Intent;', '0', 'IPC_SINK']' [[('Landroidx/core/app/ShareCompat$IntentBuilder;', 'from', '(Landroid/app/Activity;)Landroidx/core/app/ShareCompat$IntentBuilder;'), ('Landroidx/core/app/ShareCompat$IntentBuilder;', '<init>', '(Landroid/app/Activity;)V'), ('Landroid/content/Intent;', 'putExtra', '(Ljava/lang/String; Ljava/lang/String;)Landroid/content/Intent;')]]

Use of a string value androidx.core.app.EXTRA_CALLING_PACKAGE to construct an Intent

Method androidx.core.app.ShareCompat$IntentBuilder.from():


    public static androidx.core.app.ShareCompat$IntentBuilder from(android.app.Activity p1)
    {
        return new androidx.core.app.ShareCompat$IntentBuilder(p1);
    }

Method androidx.core.app.ShareCompat$IntentBuilder.<init>():


    private ShareCompat$IntentBuilder(android.app.Activity p4)
    {
        this.mActivity = p4;
        this.mIntent = new android.content.Intent().setAction("android.intent.action.SEND");
        this.mIntent.putExtra("androidx.core.app.EXTRA_CALLING_PACKAGE", p4.getPackageName());
        this.mIntent.putExtra("androidx.core.app.EXTRA_CALLING_ACTIVITY", p4.getComponentName());
        this.mIntent.addFlags(524288);
        return;
    }

Method android.content.Intent.putExtra() not found.

[TAINT] String 'androidx.core.app.EXTRA_CALLING_ACTIVITY' ==>>> Sink '['Landroid/content/Intent;', 'putExtra', '(Ljava/lang/String; Landroid/os/Parcelable;)Landroid/content/Intent;', '0', 'IPC_SINK']' [[('Landroidx/core/app/ShareCompat$IntentBuilder;', 'from', '(Landroid/app/Activity;)Landroidx/core/app/ShareCompat$IntentBuilder;'), ('Landroidx/core/app/ShareCompat$IntentBuilder;', '<init>', '(Landroid/app/Activity;)V'), ('Landroid/content/Intent;', 'putExtra', '(Ljava/lang/String; Landroid/os/Parcelable;)Landroid/content/Intent;')]]

Use of a string value androidx.core.app.EXTRA_CALLING_ACTIVITY to construct an Intent

Method androidx.core.app.ShareCompat$IntentBuilder.from():


    public static androidx.core.app.ShareCompat$IntentBuilder from(android.app.Activity p1)
    {
        return new androidx.core.app.ShareCompat$IntentBuilder(p1);
    }

Method androidx.core.app.ShareCompat$IntentBuilder.<init>():


    private ShareCompat$IntentBuilder(android.app.Activity p4)
    {
        this.mActivity = p4;
        this.mIntent = new android.content.Intent().setAction("android.intent.action.SEND");
        this.mIntent.putExtra("androidx.core.app.EXTRA_CALLING_PACKAGE", p4.getPackageName());
        this.mIntent.putExtra("androidx.core.app.EXTRA_CALLING_ACTIVITY", p4.getComponentName());
        this.mIntent.addFlags(524288);
        return;
    }

Method android.content.Intent.putExtra() not found.

[TAINT] String 'androidx.core.app.EXTRA_CALLING_PACKAGE' ==>>> Sink '['Landroid/content/Intent;', 'putExtra', '(Ljava/lang/String; Ljava/lang/String;)Landroid/content/Intent;', '0', 'IPC_SINK']' [[('Landroidx/core/app/ShareCompat$IntentBuilder;', '<init>', '(Landroid/app/Activity;)V'), ('Landroid/content/Intent;', 'putExtra', '(Ljava/lang/String; Ljava/lang/String;)Landroid/content/Intent;')]]

Use of a string value androidx.core.app.EXTRA_CALLING_PACKAGE to construct an Intent

Method androidx.core.app.ShareCompat$IntentBuilder.<init>():


    private ShareCompat$IntentBuilder(android.app.Activity p4)
    {
        this.mActivity = p4;
        this.mIntent = new android.content.Intent().setAction("android.intent.action.SEND");
        this.mIntent.putExtra("androidx.core.app.EXTRA_CALLING_PACKAGE", p4.getPackageName());
        this.mIntent.putExtra("androidx.core.app.EXTRA_CALLING_ACTIVITY", p4.getComponentName());
        this.mIntent.addFlags(524288);
        return;
    }

Method android.content.Intent.putExtra() not found.

[TAINT] String 'androidx.core.app.EXTRA_CALLING_ACTIVITY' ==>>> Sink '['Landroid/content/Intent;', 'putExtra', '(Ljava/lang/String; Landroid/os/Parcelable;)Landroid/content/Intent;', '0', 'IPC_SINK']' [[('Landroidx/core/app/ShareCompat$IntentBuilder;', '<init>', '(Landroid/app/Activity;)V'), ('Landroid/content/Intent;', 'putExtra', '(Ljava/lang/String; Landroid/os/Parcelable;)Landroid/content/Intent;')]]

Use of a string value androidx.core.app.EXTRA_CALLING_ACTIVITY to construct an Intent

Method androidx.core.app.ShareCompat$IntentBuilder.<init>():


    private ShareCompat$IntentBuilder(android.app.Activity p4)
    {
        this.mActivity = p4;
        this.mIntent = new android.content.Intent().setAction("android.intent.action.SEND");
        this.mIntent.putExtra("androidx.core.app.EXTRA_CALLING_PACKAGE", p4.getPackageName());
        this.mIntent.putExtra("androidx.core.app.EXTRA_CALLING_ACTIVITY", p4.getComponentName());
        this.mIntent.addFlags(524288);
        return;
    }

Method android.content.Intent.putExtra() not found.

[TAINT] String 'text/vnd.android.intent' ==>>> Sink '['Landroid/content/Intent;', 'putExtra', '(Ljava/lang/String; I)Landroid/content/Intent;', '1', 'IPC_SINK']' [[('Landroidx/core/app/RemoteInput;', 'addResultsToIntent', '([Landroidx/core/app/RemoteInput; Landroid/content/Intent; Landroid/os/Bundle;)V'), ('Landroidx/core/app/RemoteInput;', 'setResultsSource', '(Landroid/content/Intent; I)V'), ('Landroid/content/Intent;', 'putExtra', '(Ljava/lang/String; I)Landroid/content/Intent;')]]

Use of a string value text/vnd.android.intent to construct an Intent

Method androidx.core.app.RemoteInput.addResultsToIntent():


    public static void addResultsToIntent(androidx.core.app.RemoteInput[] p7, android.content.Intent p8, android.os.Bundle p9)
    {
        if (android.os.Build$VERSION.SDK_INT < 26) {
            int v2 = 0;
            if (android.os.Build$VERSION.SDK_INT < 20) {
                if (android.os.Build$VERSION.SDK_INT >= 16) {
                    android.content.Intent v0_1 = androidx.core.app.RemoteInput.getClipDataIntentFromIntent(p8);
                    if (v0_1 == null) {
                        v0_1 = new android.content.Intent();
                    }
                    android.os.Bundle v1_2 = v0_1.getBundleExtra("android.remoteinput.resultsData");
                    if (v1_2 == null) {
                        v1_2 = new android.os.Bundle();
                    }
                    int v3_0 = p7.length;
                    while (v2 < v3_0) {
                        String v4_0 = p7[v2];
                        CharSequence v5_1 = p9.get(v4_0.getResultKey());
                        if ((v5_1 instanceof CharSequence)) {
                            v1_2.putCharSequence(v4_0.getResultKey(), ((CharSequence) v5_1));
                        }
                        v2++;
                    }
                    v0_1.putExtra("android.remoteinput.resultsData", v1_2);
                    p8.setClipData(android.content.ClipData.newIntent("android.remoteinput.results", v0_1));
                }
            } else {
                android.content.Intent v0_4 = androidx.core.app.RemoteInput.getResultsFromIntent(p8);
                android.os.Bundle v1_5 = androidx.core.app.RemoteInput.getResultsSource(p8);
                if (v0_4 != null) {
                    v0_4.putAll(p9);
                    p9 = v0_4;
                }
                android.content.Intent v0_5 = p7.length;
                int v3_1 = 0;
                while (v3_1 < v0_5) {
                    String v4_2 = p7[v3_1];
                    CharSequence v5_4 = androidx.core.app.RemoteInput.getDataResultsFromIntent(p8, v4_2.getResultKey());
                    boolean v6_2 = new androidx.core.app.RemoteInput[1];
                    v6_2[0] = v4_2;
                    android.app.RemoteInput.addResultsToIntent(androidx.core.app.RemoteInput.fromCompat(v6_2), p8, p9);
                    if (v5_4 != null) {
                        androidx.core.app.RemoteInput.addDataResultToIntent(v4_2, p8, v5_4);
                    }
                    v3_1++;
                }
                androidx.core.app.RemoteInput.setResultsSource(p8, v1_5);
            }
        } else {
            android.app.RemoteInput.addResultsToIntent(androidx.core.app.RemoteInput.fromCompat(p7), p8, p9);
        }
        return;
    }

Method androidx.core.app.RemoteInput.setResultsSource():


    public static void setResultsSource(android.content.Intent p2, int p3)
    {
        if (android.os.Build$VERSION.SDK_INT < 28) {
            if (android.os.Build$VERSION.SDK_INT >= 16) {
                android.content.Intent v0_1 = androidx.core.app.RemoteInput.getClipDataIntentFromIntent(p2);
                if (v0_1 == null) {
                    v0_1 = new android.content.Intent();
                }
                v0_1.putExtra("android.remoteinput.resultsSource", p3);
                p2.setClipData(android.content.ClipData.newIntent("android.remoteinput.results", v0_1));
            }
        } else {
            android.app.RemoteInput.setResultsSource(p2, p3);
        }
        return;
    }

Method android.content.Intent.putExtra() not found.

[TAINT] String 'text/vnd.android.intent' ==>>> Sink '['Landroid/content/Intent;', 'putExtra', '(Ljava/lang/String; Landroid/os/Bundle;)Landroid/content/Intent;', '1', 'IPC_SINK']' [[('Landroidx/core/app/RemoteInput;', 'addResultsToIntent', '([Landroidx/core/app/RemoteInput; Landroid/content/Intent; Landroid/os/Bundle;)V'), ('Landroid/content/Intent;', 'putExtra', '(Ljava/lang/String; Landroid/os/Bundle;)Landroid/content/Intent;')]]

Use of a string value text/vnd.android.intent to construct an Intent

Method androidx.core.app.RemoteInput.addResultsToIntent():


    public static void addResultsToIntent(androidx.core.app.RemoteInput[] p7, android.content.Intent p8, android.os.Bundle p9)
    {
        if (android.os.Build$VERSION.SDK_INT < 26) {
            int v2 = 0;
            if (android.os.Build$VERSION.SDK_INT < 20) {
                if (android.os.Build$VERSION.SDK_INT >= 16) {
                    android.content.Intent v0_1 = androidx.core.app.RemoteInput.getClipDataIntentFromIntent(p8);
                    if (v0_1 == null) {
                        v0_1 = new android.content.Intent();
                    }
                    android.os.Bundle v1_2 = v0_1.getBundleExtra("android.remoteinput.resultsData");
                    if (v1_2 == null) {
                        v1_2 = new android.os.Bundle();
                    }
                    int v3_0 = p7.length;
                    while (v2 < v3_0) {
                        String v4_0 = p7[v2];
                        CharSequence v5_1 = p9.get(v4_0.getResultKey());
                        if ((v5_1 instanceof CharSequence)) {
                            v1_2.putCharSequence(v4_0.getResultKey(), ((CharSequence) v5_1));
                        }
                        v2++;
                    }
                    v0_1.putExtra("android.remoteinput.resultsData", v1_2);
                    p8.setClipData(android.content.ClipData.newIntent("android.remoteinput.results", v0_1));
                }
            } else {
                android.content.Intent v0_4 = androidx.core.app.RemoteInput.getResultsFromIntent(p8);
                android.os.Bundle v1_5 = androidx.core.app.RemoteInput.getResultsSource(p8);
                if (v0_4 != null) {
                    v0_4.putAll(p9);
                    p9 = v0_4;
                }
                android.content.Intent v0_5 = p7.length;
                int v3_1 = 0;
                while (v3_1 < v0_5) {
                    String v4_2 = p7[v3_1];
                    CharSequence v5_4 = androidx.core.app.RemoteInput.getDataResultsFromIntent(p8, v4_2.getResultKey());
                    boolean v6_2 = new androidx.core.app.RemoteInput[1];
                    v6_2[0] = v4_2;
                    android.app.RemoteInput.addResultsToIntent(androidx.core.app.RemoteInput.fromCompat(v6_2), p8, p9);
                    if (v5_4 != null) {
                        androidx.core.app.RemoteInput.addDataResultToIntent(v4_2, p8, v5_4);
                    }
                    v3_1++;
                }
                androidx.core.app.RemoteInput.setResultsSource(p8, v1_5);
            }
        } else {
            android.app.RemoteInput.addResultsToIntent(androidx.core.app.RemoteInput.fromCompat(p7), p8, p9);
        }
        return;
    }

Method android.content.Intent.putExtra() not found.