edwindwalker / edwinwalker

Personal site
0 stars 0 forks source link

NowSecure static analysis: Context Registered Broadcast Receivers Not Protected with Permissions #23

Closed edwindwalker closed 9 months ago

edwindwalker commented 2 years ago

Finding Description

This test reverse engineers the application code and detects any context-registered broadcast receivers that have not been protected with permissions.

Steps to Reproduce

Android apps can dynamically register broadcast receivers and specify permissions to restrict access to them. Broadcast receivers that are registered without specifying any permissions can potentially leak sensitive info to all other applications on the device. This test detects any context-registered broadcast receivers that have not been protected with permissions.

Business Impact

A malicious app installed on the device can attempt to send broadcast intents that trigger the unprotected broadcast receiver. These intents can modify the runtime of the app, making the app a potential phishing vector. If the sender app's broadcasts contain sensitive information, a malicious app may be able to perform intent sniffing, leaking sensitive data. Furthermore, a malicious app can register itself with high priority, if the broadcast is an ordered broadcast, to receive the broadcast first. If the malicious app is the first to receive the broadcast, it could cancel the broadcast causing a denial of service, or it could inject a malicious data into the broadcast.

Remediation Resources

If the broadcast receiver handles sensitive information, specify Signature or SignatureorSystem level permissions to restrict access to only certain applications. When there is no requirement to send broadcasts across apps on the device i.e when the receivers are in the same app as the sender, use local broadcasts instead.

Risk and Regulatory Information

Severity: medium CVSS: 4

Application

See more detail in the NowSecure Report