android-intent-security

Installation
SKILL.md

This skill provides guidelines and patterns to secure Android components (Activities, Services, Broadcast Receivers, Content Providers) and handle Intents safely, preventing privilege escalation and unauthorized access.

Glossary

  • Intent: An asynchronous messaging object used to request an action from another app component.
  • Exported component: A component (android:exported="true") that can be launched by other apps on the device.
  • Sticky intent: A broadcast intent that remains in the system cache after it's sent, allowing any app to retrieve its contents.
  • Signature permission: A permission whose protection level is set to signature, granted only to apps signed with the same developer key.
  • onNewIntent: An activity lifecycle callback invoked when an activity is launched with FLAG_ACTIVITY_SINGLE_TOP and is already running at the top of the history stack.
  • PendingIntent: A token granted to a foreign application (for example, system services) allowing it to execute a predefined Intent with the creator's permissions.
  • Mutable PendingIntent: A PendingIntent whose underlying Intent parameters can be modified by the receiving application.
  • ContentProvider: A component that encapsulates data and provides it to other applications via standard query/insert interfaces.
  • IntentSanitizer: A utility class in AndroidX Core used to build a safe, sanitized copy of an incoming Intent by filtering out unauthorized components, actions, or extras.
  • Intent redirection (forwarding): A vulnerability where an application receives an intent from an untrusted source and uses it to launch a private, non-exported component.

Prerequisites

Installs
142
Repository
android/skills
GitHub Stars
6.1K
First Seen
Jun 24, 2026
android-intent-security — android/skills