Android apps can dynamically register broadcast receivers and specify permissions to restrict access to them. Broadcast receivers that are registered without specifying any permissions can potentially leak sensitive info to all other applications on the device. This test detects any context-registered broadcast receivers that have not been protected with permissions.
Recommendation
If the broadcast receiver handles sensitive information, specify Signature or SignatureorSystem level permissions to restrict access to only certain applications. When there is no requirement to send broadcasts across apps on the device i.e when the receivers are in the same app as the sender, use local broadcasts instead.
Summary
Android apps can dynamically register broadcast receivers and specify permissions to restrict access to them. Broadcast receivers that are registered without specifying any permissions can potentially leak sensitive info to all other applications on the device. This test detects any context-registered broadcast receivers that have not been protected with permissions.
Recommendation
If the broadcast receiver handles sensitive information, specify
Signature
orSignatureorSystem
level permissions to restrict access to only certain applications. When there is no requirement to send broadcasts across apps on the device i.e when the receivers are in the same app as the sender, use local broadcasts instead.Risk and Regulatory Information
Severity: medium CVSS: 4
Application
See more detail in the NowSecure Report