npx claudepluginhub thejefflarson/soundcheck --plugin soundcheckThis skill uses the workspace's default tool permissions.
Detects IPC receivers that accept input without verifying the caller's identity. Open
Tests Android intents for IPC vulnerabilities including intent injection, unauthorized access, broadcast sniffing, pending intent hijacking, and content provider leakage using Drozer and ADB.
Tests Android intents for IPC vulnerabilities like intent injection, unauthorized access, broadcast sniffing, pending intent hijacking, and content provider leaks using Drozer, ADB, and Frida. For assessing exported components in mobile pentests.
Tests Android Intent vulnerabilities in IPC including injection, unauthorized component access, broadcast sniffing, PendingIntent hijacking, and ContentProvider leaks using Drozer, ADB, and Frida. Useful for auditing exported components and mobile security assessments.
Share bugs, ideas, or general feedback.
Detects IPC receivers that accept input without verifying the caller's identity. Open IPC channels let malicious apps hijack URL schemes, trigger exported components, or inject data through shared channels.
application(_:open:url:options:) with no scheme/host allowlist — any app can invoke your URL handler<activity android:exported="true"> on sensitive screens without a permission checknet.createServer(conn => handle(conn.data)) bound to 0.0.0.0 without authenticationandroid:permission handling sensitive actionsconnection.effectiveUserIdentifierFlag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:
android:exported="true" without android:permission
makes the component callable by anything on the phone. Intent extras are
validated against a schema before use.127.0.0.1/::1, never 0.0.0.0, when the listener is for
same-host IPC. An auth token or peer-cred check runs before the handler acts
on any command.effectiveUserIdentifier, code-signing requirement, or pipe ACL before any
privileged action. Electron/renderer IPC handlers check
event.senderFrame.url against an origin allowlist with context isolation on.exec / eval / Runtime.exec unvalidated.
The channel is an attacker-reachable surface; treat its payloads like network
input.Anchor — shape, not implementation:
# URL scheme
require(url.scheme in ALLOWED_SCHEMES and url.host in ALLOWED_HOSTS)
# exported Android component → android:permission="com.example.INVOKE" (signature-level)
# socket listener
server = listen_unix("/var/run/app.sock") # not 0.0.0.0
require(peer_cred_ok(conn) or valid_token(conn.read(32)))
Confirm the following properties hold for every IPC surface present in the change (criteria only apply when the relevant pattern exists):
application(_:open:url:), Android <intent-filter> with custom scheme, Windows protocol handler): the scheme, host, and path are validated against a static allowlist before any action runsandroid:exported="true" activity, service, or BroadcastReceiver): the component is protected by android:permission with android:protectionLevel="signature", or the receiver explicitly verifies the caller package, and sensitive Intent extras are validated against a schema before usenet.createServer, Python socket, Go net.Listen): the listener binds to a Unix domain socket or 127.0.0.1/::1 — never 0.0.0.0 or a public interface — and requires an auth token or peer-cred check before handling commandsipcMain.handle, ipcMain.on): the handler verifies event.senderFrame.url origin against an allowlist, and contextIsolation is enabled with nodeIntegration disabledNSXPCListener, xpc_connection_set_event_handler): the caller identity is verified via connection.effectiveUserIdentifier, code-signing requirement, or pipe ACL before privileged actions runexec/eval/Runtime.exec is called with unvalidated IPC-supplied input on any of the above surfaces