Broadcasted intents in Android are visible to every application by default, which can expose sensitive information.
By default, broadcasted intents are visible to every application on the device, exposing all sensitive information that intents contain. This rule raises an issue when an intent is broadcasted without specifying a receiver permission.
Methods like sendBroadcast, sendBroadcastAsUser, sendOrderedBroadcast, and
sendOrderedBroadcastAsUser that are called without a receiver permission parameter or with null for the permission allow any
application to receive the broadcast.
If an intent contains sensitive data such as user credentials, personal information, or internal application state, any malicious application installed on the same device can intercept and read this data.
A malicious application could listen for broadcasted intents to trigger unauthorized actions or manipulate application behavior, potentially gaining access to functionality that should be restricted.
The following code broadcasts an intent without specifying a receiver permission, making it accessible to all applications on the device.
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.os.Build;
import android.os.Bundle;
import android.os.Handler;
import android.os.UserHandle;
import android.support.annotation.RequiresApi;
public class MyIntentBroadcast {
@RequiresApi(api = Build.VERSION_CODES.JELLY_BEAN_MR1)
public void broadcast(Intent intent, Context context, UserHandle user,
BroadcastReceiver resultReceiver, Handler scheduler, int initialCode,
String initialData, Bundle initialExtras,
String broadcastPermission) {
context.sendBroadcast(intent); // Noncompliant
context.sendBroadcastAsUser(intent, user); // Noncompliant
// Broadcasting intent with "null" for receiverPermission
context.sendBroadcast(intent, null); // Noncompliant
context.sendBroadcastAsUser(intent, user, null); // Noncompliant
context.sendOrderedBroadcast(intent, null); // Noncompliant
context.sendOrderedBroadcastAsUser(intent, user, null, resultReceiver,
scheduler, initialCode, initialData, initialExtras); // Noncompliant
}
}
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.os.Build;
import android.os.Bundle;
import android.os.Handler;
import android.os.UserHandle;
import android.support.annotation.RequiresApi;
public class MyIntentBroadcast {
@RequiresApi(api = Build.VERSION_CODES.JELLY_BEAN_MR1)
public void broadcast(Intent intent, Context context, UserHandle user,
BroadcastReceiver resultReceiver, Handler scheduler, int initialCode,
String initialData, Bundle initialExtras,
String broadcastPermission) {
context.sendBroadcast(intent, broadcastPermission);
context.sendBroadcastAsUser(intent, user, broadcastPermission);
context.sendOrderedBroadcast(intent, broadcastPermission);
context.sendOrderedBroadcastAsUser(intent, user, broadcastPermission, resultReceiver,
scheduler, initialCode, initialData, initialExtras);
}
}