PIAnalyzer: A Precise Approach for PendingIntent Vulnerability Analysis

PendingIntents are a powerful and universal feature of Android for inter-component communication. A PendingIntent holds a base intent to be executed by another application with the creator’s permissions and identity without the creator necessarily residing in memory. While PendingIntents are useful for many scenarios, e.g., for setting an alarm or getting notified at some point in the future, insecure usage of PendingIntents causes severe security threats in the form of denial-of-service, identity theft, and privilege escalation attacks. An attacker may gain up to SYSTEM privileges to perform the most sensitive operations, e.g., deleting user’s data on the device. However, so far no tool can detect these PendingIntent vulnerabilities.