Dart Intent Sensitive Communication
Description
This vulnerability detector identifies Android intent-based security issues in Dart code where sensitive data may be exposed through unsafe intent communication. It flags insecure use of Android intents that could allow malicious apps to intercept sensitive information or perform unauthorized actions.
Detection Strategy
• The detector first checks if the Dart code imports Android intent classes (specifically AndroidIntent or classes with intent-related prefixes)
• It then examines method calls to identify potentially dangerous sink functions that handle intent operations
• For each suspicious method call, it traces back to the intent object definition to determine if it's configured insecurely
• A vulnerability is reported when code uses unsafe Android intent configurations in combination with sensitive operations, creating potential for data leakage or unauthorized access
Vulnerable code example
import 'package:android_intent_plus/android_intent.dart';
class VulnerableIntentExample {
Future<void> sendSensitiveData() async {
final password = "MySecretPassword123";
final token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";
// Sending password through implicit intent - can be intercepted...✅ Secure code example
import 'package:android_intent_plus/android_intent.dart';
class SecureIntentExample {
Future<void> sendDataSecurely() async {
final password = "MySecretPassword123";
final token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";
// Safe: explicit package target prevents intent interception...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.