Don't Leave Me Outdated!

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://tuxplorer.com/posts/dont-leave-me-outdated/
• Blog Title: Don't Leave Me Outdated!
• Suggested Section: Mobile Pentesting -> Android -> Intent Scheme Handling & ContentProvider/FileProvider Abuse (Intent:// to content:// pivot with legacy URI grant on Android ≤13)

🎯 Content Summary

Scope and ID
Real-world Android attack chain against DuckDuckGo for Android (Android ≤ 13) that enables arbitrary file exfiltration via Intent-scheme handling and legacy auto URI-permission grants. Tracked as CVE-2025-48464.

Targeted data
DuckDuckGo’s Sync & Backup feature generates a sensitive PDF named Sync Data Recovery - DuckDuckGo.pdf containing a QR code and alphanu...

🔧 Technical Details

Intent-scheme pivot to ContentProvider reads. If a browser parses intent: URLs and launches them, embed a content:// URI (pointing to a victim app’s FileProvider) and set the component= to an attacker-exported Activity. On Android ≤13, include S.android.intent.extra.TEXT=... (or HTML_TEXT) to trigger the framework’s legacy auto-add of FLAG_GRANT_READ_URI_PERMISSION. After the browser’s one-tap confirmation, the attacker Activity calls ContentResolver.openInputStream() to read and copy the file.

Abusing app-internal intent routing. When a WebView’s shouldOverrideUrlLoading() delegates to logic that classifies and parses intent: schemes (e.g., via Intent.parseUri()) and then calls startActivity(), the browser effectively acts as a privileged proxy. Attackers rely on that proxy to originate the Intent so the platform tre...

🤖 Agent Actions

I analyzed the blog and HackTricks structure, found the best spot, and implemented the update.

What I added

• Technique: Intent-scheme pivot to ContentProvider file reads on Android ≤ 13 via legacy auto FLAG_GRANT_READ_URI_PERMISSION when certain text extras are present.
• Context: Real-world chain as seen in DuckDuckGo for Android, where a browser accepts intent: URLs, parses them with Intent.parseUri(...), and calls startActivity() after a 1-tap prompt. With a FileProvider set with grantUriPermissions=true, a crafted intent:// with data=content:// and S.android.intent.extra.TEXT=... can grant temporary read access to sensitive files to an attacker-exported activity.
• Content includes:
  • Attack overview and applicability conditions
  • Hunting checklist for both browser/host app and victim app
  • HTML PoC payload (meta refresh to intent://…) and short attacker Activity code to exfiltrate via ContentResolver.openInputStream()
  • Defensive guidance for apps/browsers and platform notes
  • Emphasis on how a non-exported FileProvider with a narrow path can still be abused through unintended auto-grants

Repository exploration

• Reviewed Android-related pages (≥5 files) to ensure the content is not already covered and to choose the precise location:
  • src/mobile-pentesting/android-app-pentesting/intent-injection.md
  • src/mobile-pentesting/android-app-pentesting/webview-attacks.md
  • src/mobile-pentesting/android-app-pentesting/content-protocol.md
  • src/mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
  • src/mobile-pentesting/android-app-pentesting/android-applications-basics.md
  • src/mobile-pentesting/android-app-pentesting/README.md

Decision on placement

• Best fit: src/mobile-pentesting/android-app-pentesting/intent-injection.md
  • This page discusses Intent injection, Intent.parseUri hazards, and proxying Intents through app components. The new technique is a specialized, actionable extension of Intent scheme handling and ContentProvider abuse tied together via the legacy auto-grant behavior in Android ≤ 13—so it belongs here.
• I chose not to create a new page because the technique is a focused variant of Intent injection and ContentProvider issues, already covered thematically in existing pages.

Changes implemented

1. Inserted a new detailed section before the “Intent Redirection (CWE-926)” section:

• File: src/mobile-pentesting/android-app-pentesting/intent-injection.md
• Section title: “Intent:// → content:// pivot via legacy URI grant (Android ≤ 13)”
• Includes:
  • Exploit overview and key ideas
  • Hunting checklist
  • HTML PoC (intent://...) and attacker Activity code snippet
  • Preconditions, notes/gotchas, defensive guidance, and platform guidance

2. Updated References in the same file to include:

• Don’t Leave Me Outdated! – Intent scheme to FileProvider pivot (Android ≤13)
• AOSP Intent.java (Android 13) – legacy auto-grant behavior reference

Technical references used

• Blog: https://tuxplorer.com/posts/dont-leave-me-outdated/
• AOSP Intent.java (Android 13): https://cs.android.com/android/platform/superproject/+/android13-release:frameworks/base/core/java/android/content/Intent.java

Tool actions performed

• Modified file: src/mobile-pentesting/android-app-pentesting/intent-injection.md
  • Inserted the new section
  • Appended references

No other files required modification. The content follows HackTricks style, includes code blocks, and provides a concise, reusable technique abstraction with PoC and defenses.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://tuxplorer.com/posts/dont-leave-me-outdated/

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android -> Intent Scheme Handling & ContentProvider/FileProvider Abuse (Intent:// to content:// pivot with legacy URI grant on Android ≤13)".

Repository Maintenance:

• MD Files Formatting: 901 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0