edwindwalker / edwinwalker

Personal site
0 stars 0 forks source link

NowSecure static analysis: Manifest Declared Broadcast Receivers Not Protected With Permissions Can Leak Data to Other Apps #6

Closed edwindwalker closed 9 months ago

edwindwalker commented 3 years ago

Finding Description

Broadcast receivers that are registered without specifying any permissions can potentially leak sensitive info to all other applications on the device. A malicious app installed on the device can attempt to send broadcast intents that trigger the unprotected broadcast receiver. These intents can modify the runtime of the app, making the app a potential phishing vector. If the sender app's broadcasts contain sensitive information, a malicious app may be able to perform intent sniffing, leaking sensitive data. Furthermore, a malicious app can register itself with high priority, if the broadcast is an ordered broadcast, to receive the broadcast first. If the malicious app is the first to receive the broadcast, it could cancel the broadcast causing a denial of service, or it could inject a malicious data into the broadcast.

Steps to Reproduce

This test statically audits the app binary for any manifest declared broadcast receivers that have not been protected with permissions.

Business Impact

The app is not following secure best practices when handling data. This could lead to sensitive information being exposed to other apps on any device.

Remediation Resources

If the broadcast receiver handles sensitive information, specify Signature or SignatureorSystem level permissions to restrict access to only certain applications. When there is no requirement to send broadcasts across apps on the device i.e when the receivers are in the same app as the sender, use local broadcasts instead. Details and code snippets can be found at https://developer.android.com/guide/components/broadcasts

Risk and Regulatory Information

Severity: medium CVSS: 4

Application

See more detail in the NowSecure Report