Skip to content

IRIS - Intent Runtime Inspection System #2305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

IRIS - Intent Runtime Inspection System #2305

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions src/mobile-pentesting/android-app-pentesting/intent-injection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -431,6 +431,49 @@ This is useful to enumerate candidate handlers on a device/emulator and confirm

---

## Runtime intent tracing and replay with Frida (IRIS)

Static manifest review and one-shot `adb shell am ...` probes miss flows that are only assembled at runtime or that traverse exported proxy components before reaching a sensitive sink. A practical approach is to hook Android's dispatch path inside **`system_server`** with Frida, capture real intent traffic, and then replay the interesting ones.

**IRIS** ([Intent Runtime Inspection System](https://github.com/Ch0pin/iris)) is a local workflow for this: it attaches to **`system_server`**, records **caller package/process**, **target package/component**, **action**, **data URI**, **scheme/host**, **extras**, **hook stage**, and **dispatch result**, stores the normalized events in **SQLite**, and exposes filtering + replay from a local UI.

Why this helps during intent testing:
- catch **runtime-only** flows generated after login, QR scans, push notifications, WebViews, or chained proxy components
- identify which package really launched the target component before you try to spoof it
- recover the exact **action/data/extras** shape needed to reproduce a sensitive path
- confirm whether a flow is replayable with plain **`adb`** or if it depends on Android-native **`Bundle`** / **`Parcelable`** values

Minimal workflow:

```bash
# List Frida-visible devices
python3 -m intent_monitor list-devices

# Capture + serve the local UI
python3 -m intent_monitor --database ./iris.db monitor --device-id <device-id>

# Review/filter stored events from CLI
python3 -m intent_monitor --database ./iris.db list --target-package com.target.app
python3 -m intent_monitor --database ./iris.db list --action android.intent.action.VIEW
python3 -m intent_monitor --database ./iris.db list --scheme https --host example.com
```

Pentest workflow:
1. Drive the victim app normally (login, tap notifications, open QR/deep links, trigger exported receivers/services).
2. Filter for the victim package, `VIEW` actions, unusual callers, or deep-link hosts you control.
3. Replay the captured event and mutate **action/data/extras** to check whether the target component is externally triggerable or trusts caller-controlled values.
4. If replay via normal `adb` loses fidelity because extras are not simple scalars, use the optional helper APK path to rebuild complex **`Bundle`** / **`Parcelable`** payloads on-device before dispatching them.

This is especially useful for validating:
- exported **proxy Activities/Receivers/Services** that forward inbound intents
- deep-link handlers that derive privileged state from **URI host/path/extras**
- receivers/services that require a very specific extra layout and are painful to brute-force manually
- confused-deputy flows where reproducing the original **caller β†’ target** sequence matters

Notes:
- IRIS is a **dynamic discovery/replay aid**, not a proof that a component is exported or attacker-reachable by itself; always confirm the final trigger path with manifest/code review and manual `adb`/app-originated replay.
- Service hooks are marked experimental by the tool author and should be enabled only on disposable rooted devices.

## References

- [Android – Access to app-protected components](https://blog.oversecured.com/Android-Access-to-app-protected-components/)
Expand Down Expand Up @@ -461,6 +504,8 @@ This is useful to enumerate candidate handlers on a device/emulator and confirm
- [CVE-2025-12080 β€” Intent Abuse in Google Messages for Wear OS](https://towerofhanoi.it/writeups/cve-2025-12080/)
- [PoC repo – io-no/CVE-2025-12080](https://github.com/io-no/CVE-Reports/tree/main/CVE-2025-12080)
- [Android docs – Intents and Intent Filters](https://developer.android.com/guide/components/intents-filters)
- [IRIS – Intent Runtime Inspection System](https://github.com/Ch0pin/iris)
- [IRIS usage recording](https://www.youtube.com/watch?v=uU-f2zVZj7U)


{{#include ../../banners/hacktricks-training.md}}