Broadcasted intents in Android are visible to every application by default, which can expose sensitive information.

Why is this an issue?

By default, broadcasted intents are visible to every application on the device, exposing all sensitive information that intents contain. This rule raises an issue when an intent is broadcasted without specifying a receiver permission.

Methods like sendBroadcast, sendBroadcastAsUser, sendOrderedBroadcast, and sendOrderedBroadcastAsUser that are called without a receiver permission parameter or with null for the permission allow any application to receive the broadcast.

What is the potential impact?

Information disclosure

If an intent contains sensitive data such as user credentials, personal information, or internal application state, any malicious application installed on the same device can intercept and read this data.

Privilege escalation

A malicious application could listen for broadcasted intents to trigger unauthorized actions or manipulate application behavior, potentially gaining access to functionality that should be restricted.

How to fix it

Code examples

The following code broadcasts an intent without specifying a receiver permission, making it accessible to all applications on the device.

Noncompliant code example

import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.os.Build;
import android.os.Bundle;
import android.os.Handler;
import android.os.UserHandle;
import android.support.annotation.RequiresApi;

public class MyIntentBroadcast {
    @RequiresApi(api = Build.VERSION_CODES.JELLY_BEAN_MR1)
    public void broadcast(Intent intent, Context context, UserHandle user,
                          BroadcastReceiver resultReceiver, Handler scheduler, int initialCode,
                          String initialData, Bundle initialExtras,
                          String broadcastPermission) {
        context.sendBroadcast(intent); // Noncompliant
        context.sendBroadcastAsUser(intent, user); // Noncompliant

        // Broadcasting intent with "null" for receiverPermission
        context.sendBroadcast(intent, null); // Noncompliant
        context.sendBroadcastAsUser(intent, user, null); // Noncompliant
        context.sendOrderedBroadcast(intent, null); // Noncompliant
        context.sendOrderedBroadcastAsUser(intent, user, null, resultReceiver,
                scheduler, initialCode, initialData, initialExtras); // Noncompliant
    }
}

Compliant solution

import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.os.Build;
import android.os.Bundle;
import android.os.Handler;
import android.os.UserHandle;
import android.support.annotation.RequiresApi;

public class MyIntentBroadcast {
    @RequiresApi(api = Build.VERSION_CODES.JELLY_BEAN_MR1)
    public void broadcast(Intent intent, Context context, UserHandle user,
                          BroadcastReceiver resultReceiver, Handler scheduler, int initialCode,
                          String initialData, Bundle initialExtras,
                          String broadcastPermission) {

        context.sendBroadcast(intent, broadcastPermission);
        context.sendBroadcastAsUser(intent, user, broadcastPermission);
        context.sendOrderedBroadcast(intent, broadcastPermission);
        context.sendOrderedBroadcastAsUser(intent, user, broadcastPermission, resultReceiver,
                scheduler, initialCode, initialData, initialExtras);
    }
}

Resources

Documentation

Standards