Warning: Activity Intent Extras Can Be Public
A participant in today’s office hours online chat pointed out something to me that I had not realized before:
Intent extras can be publicly visible to other applications. Specifically, the
Intents associated with recent tasks are visible, and hence their extras can be accessed.
When you long-press on the HOME key, you are displaying a dialog box of the recent tasks. The data behind that dialog is available via
ActivityManager (which, in turn, you get via
getSystemService() on any handy
Context). The big piece of data in a
RecentTaskInfo object is
baseIntent, described as “the original Intent used to launch the task”. All data on this
Intent is readable by any application that holds the
Hence, in any situation where you are starting an activity that might start a new task, you need to be very careful about your
Intent extras. Like many developers, I had considered
Intent extras to be private, only visible to sender and recipient… but in this specific case, that is not true. Passing authentication credentials (e.g., bank PINs) via activity
Intent extras, therefore, is not safe.
However, this is limited to tasks, so
Intent objects used with
sendBroadcast() are not stored in
getRecentTasks(), at least based on the testing I performed today.