Port MASTG-TEST-0026: Testing Implicit Intents (android) (by @appknox)

[ScreaMy7]

closes #2997

[ScreaMy7]

@cpholguera Please review. This format is slightly different, so please let me know the changes that are needed.

[TheDauntless]

Hi @ScreaMy7 ! Thanks for contributing!

This PR is mixing up two different things though. Implicit intents are an issue because they can be intercepted by other applications, thereby possible intercepting sensitive information. While the explanation seems to be correct, the demo itself doesn't show the vulnerability. Can you please update the code to showcase the vulnerability?

[ScreaMy7]

@TheDauntless Thanks for the review. Have you tried the dynamic demo, which has an attacker application to trigger the intent redirect to the internal parts of the vulnerable application? Could you please explain more about the mix-up?

[TheDauntless]

@ScreaMy7

Either the explanation of the test is wrong, or the implementation.

This test is about implicit intent interception so the demo would be:

• The vulnerable app has an intent-filter on a non exported activity (currently not the case)
• The attacker app has the same intent filter (currently not the case)
• The vulnerable app launches its vulnerable activity with an implicit intent and pass some sensitive data (currently not the case)

Result: The user can choose between the legitimate app and the attacker app, and the sensitive data would leak if they choose the attacker app

Your demo describes the attacker intercepting data, but data isn't intercepted anywhere? You're just triggering an implicit activity with an explicit intent; all the data stays inside of the vulnerableapp. Where is the attack? What you are describing is something that Android fixes itself in Android 15: https://developer.android.com/about/versions/15/behavior-changes-15#safer-intents

[ScreaMy7]

Hi @TheDauntless ,
I have updated the demo, please review it.

[Copilot]

Pull Request Overview

This PR ports the deprecated MASTG-TEST-0026 (Testing Implicit Intents) to MASTG V2 format by creating two new tests that cover different aspects of implicit intent vulnerabilities. The change maintains backward compatibility by marking the original test as deprecated while providing comprehensive coverage through static and dynamic analysis approaches.

• Deprecates MASTG-TEST-0026 and creates MASTG-TEST-0287 (static analysis) and MASTG-TEST-0286 (dynamic analysis)
• Adds comprehensive demonstration files showing both vulnerable code patterns and exploitation techniques
• Includes Semgrep rule for automated detection of exported activities with custom intent filters

Reviewed Changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
tests/android/MASVS-CODE/MASTG-TEST-0026.md	Marks original test as deprecated with references to new tests
tests-beta/android/MASVS-CODE/MASTG-TEST-0287.md	New static analysis test for implicit intent vulnerabilities
tests-beta/android/MASVS-CODE/MASTG-TEST-0286.md	New dynamic analysis test for implicit intent interception
rules/mastg-android-custom-intent-intecept.yml	Semgrep rule for detecting vulnerable intent filter configurations
demos/android/MASVS-CODE/MASTG-DEMO-0059/	Static analysis demonstration with Semgrep output
demos/android/MASVS-CODE/MASTG-DEMO-0058/	Dynamic analysis demonstration with vulnerable and attacker code

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

There's a typo in the title: 'intecept' should be 'intercept'.

Suggested change

	title: Implicit intent to intecept internal app components
	title: Implicit intent to intercept internal app components

[Copilot]

The referenced rule file 'mastg-android-custom-intent-filter-intercept.yml' doesn't match the actual filename 'mastg-android-custom-intent-intecept.yml'. This will cause the semgrep command to fail.

Suggested change

	NO_COLOR=true semgrep -c ../../../../rules/mastg-android-custom-intent-filter-intercept.yml ../MASTG-DEMO-0058/AndroidManifest_reversed.xml --text -o output.txt
	NO_COLOR=true semgrep -c ../../../../rules/mastg-android-custom-intent-intecept.yml ../MASTG-DEMO-0058/AndroidManifest_reversed.xml --text -o output.txt

[Copilot]

The referenced rule file path 'mastg-android-custom-intent-filter-intercept.yml' doesn't match the actual filename 'mastg-android-custom-intent-intecept.yml'. This will result in a broken reference.

Suggested change

	{{ ../../../../rules/mastg-android-custom-intent-filter-intercept.yml }}
	{{ ../../../../rules/mastg-android-custom-intent-intecept.yml }}

[Copilot]

There's a typo in the package name: 'datainteceptor' should be 'datainterceptor' to match the correct spelling of 'interceptor'.

Suggested change

	package="com.example.datainteceptor">
	package="com.example.datainterceptor">

[Copilot]

There's a typo in the package name: 'datainteceptor' should be 'datainterceptor' to match the correct spelling of 'interceptor'.

Suggested change

	package com.example.datainteceptor
	package com.example.datainterceptor

[Copilot]

There's a typo in the package name: 'datainteceptor' should be 'datainterceptor' to match the correct spelling of 'interceptor'.

Suggested change

	package com.example.datainteceptor
	package com.example.datainterceptor