Warning: Activity Intent Extras Can Be Public
A participant in today’s office hours online chat pointed out something to me
that I had not realized before:
Intent extras can be publicly visible to other applications. Specifically,
Intents associated with recent tasks are visible, and hence their extras can be accessed.
When you long-press on the HOME key, you are displaying a dialog box of the recent tasks. The data behind
that dialog is available via
ActivityManager (which, in turn, you get via
getSystemService() on any handy
Context). The big piece of data in a
RecentTaskInfo object is
baseIntent, described as
“the original Intent used to launch the task”. All data on this
Intent is readable by any application
that holds the
Hence, in any situation where you are starting an activity that might start a new task, you need to
be very careful about your
Intent extras. Like many developers, I had considered
to be private, only visible to sender and recipient… but in this specific case, that is not true.
Passing authentication credentials (e.g., bank PINs) via activity
Intent extras, therefore, is not
However, this is limited to tasks, so
Intent objects used with
are not stored in
getRecentTasks(), at least based on the testing I performed today.
Want an expert opinion on your Android app architecture decisions? Perhaps Mark Murphy can help!