Example - 1

This Android application will remove a user account when it receives an intent to do so:

int userID = intent.getIntExtra("userID");destroyUserData(userID);@Overridepublic void onReceive(Context context, Intent intent) {}IntentFilter filter = new IntentFilter("com.example.RemoveUser");MyReceiver receiver = new MyReceiver();registerReceiver(receiver, filter);public class DeleteReceiver extends BroadcastReceiver {}

This application does not check the origin of the intent, thus allowing any malicious application to remove a user. Always check the origin of an intent, or create an allowlist of trusted applications using the manifest.xml file.

Example - 2

These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:

// // Android// 

writeDataToView(view, UserData);return false;
return true;if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){}else{}if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){}@Overridepublic boolean shouldOverrideUrlLoading(WebView view, String url){}

// // iOS// 



// // Make data available back in webview.// 
UIWebView *webView = [self writeDataToView:[URL query]];
NSString *functionString = [URL resourceSpecifier];if ([functionString hasPrefix:@"specialFunction"]){}return NO;
NSURL *URL = [exRequest URL];if ([[URL scheme] isEqualToString:@"exampleScheme"]){}return YES;-(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType{}

A call into native code can then be initiated by passing parameters within the URL:

window.location = examplescheme://method?parameter=value

Because the application does not check the source, a malicious website loaded within this WebView has the same access to the API as a trusted site.