diff --git a/src/mobile-pentesting/android-app-pentesting/intent-injection.md b/src/mobile-pentesting/android-app-pentesting/intent-injection.md index a43f78ab26c..66820f1296a 100644 --- a/src/mobile-pentesting/android-app-pentesting/intent-injection.md +++ b/src/mobile-pentesting/android-app-pentesting/intent-injection.md @@ -431,6 +431,49 @@ This is useful to enumerate candidate handlers on a device/emulator and confirm --- +## Runtime intent tracing and replay with Frida (IRIS) + +Static manifest review and one-shot `adb shell am ...` probes miss flows that are only assembled at runtime or that traverse exported proxy components before reaching a sensitive sink. A practical approach is to hook Android's dispatch path inside **`system_server`** with Frida, capture real intent traffic, and then replay the interesting ones. + +**IRIS** ([Intent Runtime Inspection System](https://github.com/Ch0pin/iris)) is a local workflow for this: it attaches to **`system_server`**, records **caller package/process**, **target package/component**, **action**, **data URI**, **scheme/host**, **extras**, **hook stage**, and **dispatch result**, stores the normalized events in **SQLite**, and exposes filtering + replay from a local UI. + +Why this helps during intent testing: +- catch **runtime-only** flows generated after login, QR scans, push notifications, WebViews, or chained proxy components +- identify which package really launched the target component before you try to spoof it +- recover the exact **action/data/extras** shape needed to reproduce a sensitive path +- confirm whether a flow is replayable with plain **`adb`** or if it depends on Android-native **`Bundle`** / **`Parcelable`** values + +Minimal workflow: + +```bash +# List Frida-visible devices +python3 -m intent_monitor list-devices + +# Capture + serve the local UI +python3 -m intent_monitor --database ./iris.db monitor --device-id + +# Review/filter stored events from CLI +python3 -m intent_monitor --database ./iris.db list --target-package com.target.app +python3 -m intent_monitor --database ./iris.db list --action android.intent.action.VIEW +python3 -m intent_monitor --database ./iris.db list --scheme https --host example.com +``` + +Pentest workflow: +1. Drive the victim app normally (login, tap notifications, open QR/deep links, trigger exported receivers/services). +2. Filter for the victim package, `VIEW` actions, unusual callers, or deep-link hosts you control. +3. Replay the captured event and mutate **action/data/extras** to check whether the target component is externally triggerable or trusts caller-controlled values. +4. If replay via normal `adb` loses fidelity because extras are not simple scalars, use the optional helper APK path to rebuild complex **`Bundle`** / **`Parcelable`** payloads on-device before dispatching them. + +This is especially useful for validating: +- exported **proxy Activities/Receivers/Services** that forward inbound intents +- deep-link handlers that derive privileged state from **URI host/path/extras** +- receivers/services that require a very specific extra layout and are painful to brute-force manually +- confused-deputy flows where reproducing the original **caller → target** sequence matters + +Notes: +- IRIS is a **dynamic discovery/replay aid**, not a proof that a component is exported or attacker-reachable by itself; always confirm the final trigger path with manifest/code review and manual `adb`/app-originated replay. +- Service hooks are marked experimental by the tool author and should be enabled only on disposable rooted devices. + ## References - [Android – Access to app-protected components](https://blog.oversecured.com/Android-Access-to-app-protected-components/) @@ -461,6 +504,8 @@ This is useful to enumerate candidate handlers on a device/emulator and confirm - [CVE-2025-12080 — Intent Abuse in Google Messages for Wear OS](https://towerofhanoi.it/writeups/cve-2025-12080/) - [PoC repo – io-no/CVE-2025-12080](https://github.com/io-no/CVE-Reports/tree/main/CVE-2025-12080) - [Android docs – Intents and Intent Filters](https://developer.android.com/guide/components/intents-filters) +- [IRIS – Intent Runtime Inspection System](https://github.com/Ch0pin/iris) +- [IRIS usage recording](https://www.youtube.com/watch?v=uU-f2zVZj7U) {{#include ../../banners/hacktricks-training.md}}