Aleja77 / twimight

Automatically exported from code.google.com/p/twimight
0 stars 0 forks source link

Security issues (unprotected components) #23

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Sending the "twimight_synch" intent action or explicitly invoking 
".net.twitter.TwitterService" will allow other applications to force network 
communication. Set exported="false" or protect with a signature/dangerous 
permission.
2. Explicitly invoking ".util.BootReceiver" will allow other applications with 
the "android.permission.RECEIVE_BOOT_COMPLETED" permission to execute the 
broadcast receiver. Check the intent's action in the "onReceive" and remove the 
permission on that receiver.
3. Explicitly invoking .util.CommunicationReceiver will allow other 
applications to execute the code. Check the intent's action in the onReceive().
4. Sending the "auto_enable_disaster_mode" intent action or explicitly invoking 
".util.OMFReceiver" will allow other applications to force the application to 
switch between disaster mode. Protect with a signature permission or set 
exported="false".
5. Review activities that register for Intent filters and decide which ones 
that you would like to be publicly accessible (e.g., .activities.LoginActivity, 
.activities.SearchableActivity, etc.). If they are only to be used internally, 
set exported="false".

Original issue reported on code.google.com by benan...@gmail.com on 15 Nov 2013 at 7:52

GoogleCodeExporter commented 9 years ago

Original comment by steven.m...@gmail.com on 27 Dec 2013 at 5:01