Warning: Activity Intent Extras Can Be Public

A participant in today’s office hours online chat pointed out something to me that I had not realized before: Intent extras can be publicly visible to other applications. Specifically, the Intents associated with recent tasks are visible, and hence their extras can be accessed.

When you long-press on the HOME key, you are displaying a dialog box of the recent tasks. The data behind that dialog is available via getRecentTasks() on ActivityManager (which, in turn, you get via getSystemService() on any handy Context). The big piece of data in a RecentTaskInfo object is baseIntent, described as “the original Intent used to launch the task”. All data on this Intent is readable by any application that holds the GET_TASKS permission.

Hence, in any situation where you are starting an activity that might start a new task, you need to be very careful about your Intent extras. Like many developers, I had considered Intent extras to be private, only visible to sender and recipient… but in this specific case, that is not true. Passing authentication credentials (e.g., bank PINs) via activity Intent extras, therefore, is not safe.

However, this is limited to tasks, so Intent objects used with startService() and sendBroadcast() are not stored in getRecentTasks(), at least based on the testing I performed today.

Want an expert opinion on your Android app architecture decisions? Perhaps Mark Murphy can help!