Android applications can receive broadcasts from the system or other applications through registered broadcast receivers.

Why is this an issue?

A broadcast receiver registered or declared without a broadcast permission can receive intents from any application on the device, making it an unrestricted entry point into the application. Malicious or compromised applications can send crafted broadcasts that trigger unintended behavior, bypass access controls, or feed untrusted data into the application’s processing logic. This rule raises an issue when a receiver is registered in code without a broadcastPermission argument, or when a receiver is declared in the manifest as exported without an android:permission attribute.

What is the potential impact?

Unauthorized access

An attacker controlling a malicious application can send arbitrary broadcasts to the unprotected receiver, potentially triggering sensitive operations such as changing application state or invoking privileged functionality without the user’s knowledge.

Data injection

Without restriction, any application can supply arbitrary intent data to the receiver. If that data is processed without validation, it can lead to logic errors or further exploitation within the application.

How to fix it

Code examples

The following code registers a broadcast receiver without specifying a broadcast permission, allowing any application to send intents to it.

Noncompliant code example

import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.IntentFilter;
import android.os.Build;
import android.os.Handler;
import android.support.annotation.RequiresApi;

public class MyIntentReceiver {

    @RequiresApi(api = Build.VERSION_CODES.O)
    public void register(Context context, BroadcastReceiver receiver,
                         IntentFilter filter,
                         String broadcastPermission,
                         Handler scheduler,
                         int flags) {
        context.registerReceiver(receiver, filter); // Noncompliant
        context.registerReceiver(receiver, filter, flags); // Noncompliant

        // Broadcasting intent with "null" for broadcastPermission
        context.registerReceiver(receiver, filter, null, scheduler); // Noncompliant
        context.registerReceiver(receiver, filter, null, scheduler, flags); // Noncompliant
    }
}

Compliant solution

import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.IntentFilter;
import android.os.Build;
import android.os.Handler;
import android.support.annotation.RequiresApi;

public class MyIntentReceiver {

    @RequiresApi(api = Build.VERSION_CODES.O)
    public void register(Context context, BroadcastReceiver receiver,
                         IntentFilter filter,
                         String broadcastPermission,
                         Handler scheduler,
                         int flags) {

        context.registerReceiver(receiver, filter, broadcastPermission, scheduler);
        context.registerReceiver(receiver, filter, broadcastPermission, scheduler, flags);
    }
}

Resources

Documentation

Standards