Description

While reviewing the notification system for our UnifiedPush PR (#6599), we noticed that the command_activity and command_broadcast_intent push notification commands in MessagingManager.kt can execute arbitrary Android intents without any allowlist or user confirmation.

We tested on a Pixel 9 running Android 15 and confirmed that a simple API call to notify.mobile_app_<device> can:

• Open any URL in the browser (potential phishing vector)
• Open the phone dialer with a pre-filled number (ACTION_DIAL)
• Place a phone call without user interaction (ACTION_CALL)
• Open system settings or any installed app

The only protection is isTrusted() which defaults to true and is stored in plaintext SharedPreferences.

When the "Display over other apps" permission is granted (which the app requests during onboarding), these intents execute even when the app is in the background or the screen is off.

Question

Is this behavior intentional by design (trusted server model)? We understand the HA server is trusted, but the lack of any validation on intent actions means:

1. A compromised HA instance could be used as an attack vector against all connected mobile devices
2. Any user or integration with API access can trigger these commands
3. A MITM on HTTP connections (which are allowed by the network security config) could inject these commands

Suggestion

Would it make sense to:

• Add an allowlist of permitted intent actions for command_activity
• Require user confirmation for sensitive actions like ACTION_CALL
• Or at minimum, document this behavior as a security consideration

Happy to discuss or help with a fix if this is considered a security concern.