Exploiting PendingIntent Provenance Confusion to Spoof Android SDK Authentication

TL;DR

This paper uncovers a fundamental flaw in Android's PendingIntent mechanism used for SDK authentication, demonstrating how attackers can impersonate partners and proposing a robust defense combining IPC and kernel-level verification.

Contribution

The paper identifies a critical provenance confusion vulnerability in PendingIntent-based authentication and proposes a scalable, secure defense architecture for cross-app SDKs.

Findings

PendingIntent cannot reliably verify sender identity due to provenance confusion.

Attackers can impersonate SDK partners using stolen PendingIntents.

The proposed defense combines Bound Service IPC with kernel caller verification.

Abstract

A single authentication bypass in a partner SDK grants attackers the identity of every partner in the ecosystem -- and millions of apps use SDKs with exactly this vulnerability. OWASP's 2024 Mobile Top 10 ranks Inadequate Supply Chain Security as the second most critical mobile risk, explicitly identifying third-party SDKs as a primary attack vector. Cross-app mobile SDKs -- where a partner application communicates with a platform provider's application via inter-process communication (IPC) -- mediate sensitive operations such as content publishing, payment initiation, and identity federation. Unlike embedded libraries that execute within a single app's process, cross-app SDKs require the provider's service to authenticate the calling application at runtime. A pattern sometimes used for this authentication relies on PendingIntent.getCreatorPackage() to verify sender identity. We demonstrate that this mechanism exhibits a fundamental provenance confusion vulnerability: a PendingIntent reliably identifies who created it but cannot attest who presents it -- and this distinction is fatal for authentication. An attacker app with notification access can steal a legitimate partner's PendingIntent via NotificationListenerService and replay it to impersonate that partner, bypassing authentication entirely. The attack succeeds against both mutable and immutable PendingIntents because immutability protects the token's contents, not its provenance. We systematically evaluate eight Android IPC authentication mechanisms against an SDK-specific threat model and present a defense architecture combining Bound Service IPC with kernel-level caller verification via Binder.getCallingUid(), supplemented by server-side certificate-hash validation. This provides authentication guarantees while remaining scalable across partner ecosystems.