(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)
A Pending Intent is an intent that can be given to another application for it to use later, see: [Android API 2013] class
PendingIntent. The application receiving the pending intent can perform the operation(s) specified in the pending intent with the same permissions and the same identity as the application that produced the pending intent. Consequently, the pending intent should be built with care, and must always contain base intents that have the component name set explicitly to a component owned by the originating application. This ensures that the base intents are ultimately sent to appropriate locations and nowhere else. An implicit intent must never be included in a pending intent.
Noncompliant Code Example
This noncompliant code example shows an application that creates a pending intent containing an implicit intent.
An application could intercept the implicit intent and pass it on to an inappropriate location, while both the intent originator and the intent recipient would remain unaware that the intent had been intercepted.
In this compliant solution the pending intent contains an explicit intent that cannot be misdirected.
Failing to pass an explicit intent to a pending intent could allow the intent to be misdirected, thereby leaking sensitive information and/or altering the data flow within an app.
A straightforward static analysis can perform reasonably well at detecting violations of this rule.