Broadcast receivers that are registered without specifying any permissions can potentially leak sensitive info to all other applications on the device. A malicious app installed on the device can attempt to send broadcast intents that trigger the unprotected broadcast receiver. These intents can modify the runtime of the app, making the app a potential phishing vector. If the sender app's broadcasts contain sensitive information, a malicious app may be able to perform intent sniffing, leaking sensitive data. Furthermore, a malicious app can register itself with high priority, if the broadcast is an ordered broadcast, to receive the broadcast first. If the malicious app is the first to receive the broadcast, it could cancel the broadcast causing a denial of service, or it could inject a malicious data into the broadcast.
Steps to Reproduce
This test statically audits the app binary for any manifest declared broadcast receivers that have not been protected with permissions.
Business Impact
The app is not following secure best practices when handling data. This could lead to sensitive information being exposed to other apps on any device.
Remediation Resources
If the broadcast receiver handles sensitive information, specify Signature or SignatureorSystem level permissions to restrict access to only certain applications. When there is no requirement to send broadcasts across apps on the device i.e when the receivers are in the same app as the sender, use local broadcasts instead. Details and code snippets can be found at https://developer.android.com/guide/components/broadcasts
Finding Description
Broadcast receivers that are registered without specifying any permissions can potentially leak sensitive info to all other applications on the device. A malicious app installed on the device can attempt to send broadcast intents that trigger the unprotected broadcast receiver. These intents can modify the runtime of the app, making the app a potential phishing vector. If the sender app's broadcasts contain sensitive information, a malicious app may be able to perform intent sniffing, leaking sensitive data. Furthermore, a malicious app can register itself with high priority, if the broadcast is an ordered broadcast, to receive the broadcast first. If the malicious app is the first to receive the broadcast, it could cancel the broadcast causing a denial of service, or it could inject a malicious data into the broadcast.
Steps to Reproduce
This test statically audits the app binary for any manifest declared broadcast receivers that have not been protected with permissions.
Business Impact
The app is not following secure best practices when handling data. This could lead to sensitive information being exposed to other apps on any device.
Remediation Resources
If the broadcast receiver handles sensitive information, specify
SignatureorSignatureorSystemlevel permissions to restrict access to only certain applications. When there is no requirement to send broadcasts across apps on the device i.e when the receivers are in the same app as the sender, use local broadcasts instead. Details and code snippets can be found at https://developer.android.com/guide/components/broadcastsRisk and Regulatory Information
Severity: medium CVSS: 4
Application
See more detail in the NowSecure Report