search

mParticle / mparticle-flutter-sdk

A Flutter plugin that gives developers an API to implement mParticle on Flutter. This supports publishing a Flutter plugin to iOS, Android, and Web.
Apache License 2.0
4 stars 8 forks source link

Android Context Registered Broadcast Receivers Not Protected with Permissions #47

Open asegurola opened 2 months ago

asegurola commented 2 months ago

A static analysis security tool we use it's complaining about this SDK not protecting broadcast receivers properly.

OS: Android mparticle flutter SDK Version: 1.0.4

The suggestion is to protect the broadcast receivers as described here:

Restricting broadcasts with permissions https://developer.android.com/guide/components/broadcasts.html#restrict-broadcasts-permissions

Android 13 - Safer exporting of context-registered receivers https://developer.android.com/about/versions/13/features#runtime-receivers

Android 14 - Runtime-registered broadcasts receivers must specify export behavior https://developer.android.com/about/versions/14/behavior-changes-14#runtime-receivers-exported

Evidence

com.mparticle.internal.j - e()

{
  "class": "com.mparticle.internal.j",
  "method": "e()",
  "locations": [
    {
      "location_id": "s1985212c-600a-46be-90f0-95110958f8e4"
    }
  ],
  "_raw": {
    "api": "Landroid/content/Context;,registerReceiver,(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)Landroid/content/Intent;",
    "line": -1,
    "method": "Lcom/mparticle/internal/j;,e,()V",
    "source_file": "com/mparticle/internal/SourceFile"
  }
}
[
  {
    "id": "s1985212c-600a-46be-90f0-95110958f8e4",
    "data": {
      "type": "backtrace",
      "entries": [
        {
          "type": "java",
          "context": {
            "flags": [],
            "signature": "Lcom/mparticle/internal/j;,e,()V",
            "class_name": "com.mparticle.internal.j",
            "method_name": "e"
          }
        },
        {
          "type": "java",
          "context": {
            "flags": [],
            "source": {
              "line": -1,
              "name": "com/mparticle/internal/SourceFile"
            },
            "signature": "Landroid/content/Context;,registerReceiver,(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)Landroid/content/Intent;",
            "class_name": "android.content.Context",
            "method_name": "registerReceiver"
          }
        }
      ]
    }
  }
]