External intent can trigger internal send flow and attach FlowCrypt-private files

[DenBond7]

CreateMessageActivity is exported for normal Android share and mail intents, but external intents can still influence internal navigation/send behavior more than intended. A specially crafted intent can reach the internal outgoing-message creation flow instead of staying within the normal compose-review flow. Because outgoing attachment processing later opens attachment URIs using FlowCrypt’s own app identity, this creates a path where app-private files can be staged as outgoing attachments.
The issue is not the existence of normal ACTION_SEND / ACTION_SEND_MULTIPLE support itself. The problem is that an external entry point can drive internal send logic directly, bypassing the expected compose validation and user review path.

Impact:

• external app can invoke exported compose entry point;
• internal send flow can be reached from untrusted input;
• attachment URIs are later processed with FlowCrypt privileges;
• FlowCrypt-private files may be exposed as outgoing attachments.

Expected behavior:

• external intents should only initialize the normal compose flow;
• internal send-only/navigation-only routes should not be reachable from untrusted external input;
• attachment processing should reject unsafe URIs that point outside explicitly allowed FlowCrypt-managed sources.

ref https://github.com/FlowCrypt/flowcrypt-security/issues/338