Bypassing Intent Destination Checks, LaunchAnyWhere Privilege Escalation
Qidan He
DEF CON 33 · Day 1 · Main Stage
In this DEF CON talk, Qidan He, a distinguished security researcher, unveils "Bad Resolve," a novel class of **LaunchAnywhere** privilege escalation vulnerabilities impacting modern Android systems. The presentation details a sophisticated **Time-of-Check-Time-of-Use (ToCToU)** attack that bypasses existing intent destination checks, allowing a low-privileged attacker application to launch protected or unexported activities within privileged system applications like Settings. This research challenges the long-standing security model of Android's inter-process communication (IPC) via Intents, demonstrating how subtle race conditions in the intent resolution process can lead to severe privilege escalations, enabling actions like modifying PINs or making phone calls without explicit user permissions.
AI review
Qidan He drops a genuinely novel ToCToU attack class against Android's intent resolution pipeline — not a rehash of Parcel mismatch, not a vendor CVE write-up, but a new primitive with a full exploitation chain, live demos on Android 16 Beta, and vendor-specific gadget chains. This is the kind of research that forces a platform team to rethink a security model, not just patch a single bug.