When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Defenders should validate the entirety of the URI. For example, the URI's scheme should be https and the URI's host should be on a list of trusted hosts.[1]
Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.[2][3]
On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.
| Data Component | Name | Channel |
|---|---|---|
| API Calls (DC0112) | Application Vetting | None |
| System Notifications (DC0117) | User Interface | None |
When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents.
Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.[2][4]
| Data Component | Name | Channel |
|---|---|---|
| API Calls (DC0112) | Application Vetting | None |
| System Notifications (DC0117) | User Interface | None |