Android applications can receive broadcasts from the system or other applications through registered broadcast receivers.
A broadcast receiver registered or declared without a broadcast permission can receive intents from any application on the device, making it an
unrestricted entry point into the application. Malicious or compromised applications can send crafted broadcasts that trigger unintended behavior,
bypass access controls, or feed untrusted data into the application’s processing logic. This rule raises an issue when a receiver is registered in
code without a broadcastPermission argument, or when a receiver is declared in the manifest as exported without an
android:permission attribute.
An attacker controlling a malicious application can send arbitrary broadcasts to the unprotected receiver, potentially triggering sensitive operations such as changing application state or invoking privileged functionality without the user’s knowledge.
Without restriction, any application can supply arbitrary intent data to the receiver. If that data is processed without validation, it can lead to logic errors or further exploitation within the application.
The following code registers a broadcast receiver without specifying a broadcast permission, allowing any application to send intents to it.
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.IntentFilter;
import android.os.Build;
import android.os.Handler;
import android.support.annotation.RequiresApi;
public class MyIntentReceiver {
@RequiresApi(api = Build.VERSION_CODES.O)
public void register(Context context, BroadcastReceiver receiver,
IntentFilter filter,
String broadcastPermission,
Handler scheduler,
int flags) {
context.registerReceiver(receiver, filter); // Noncompliant
context.registerReceiver(receiver, filter, flags); // Noncompliant
// Broadcasting intent with "null" for broadcastPermission
context.registerReceiver(receiver, filter, null, scheduler); // Noncompliant
context.registerReceiver(receiver, filter, null, scheduler, flags); // Noncompliant
}
}
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.IntentFilter;
import android.os.Build;
import android.os.Handler;
import android.support.annotation.RequiresApi;
public class MyIntentReceiver {
@RequiresApi(api = Build.VERSION_CODES.O)
public void register(Context context, BroadcastReceiver receiver,
IntentFilter filter,
String broadcastPermission,
Handler scheduler,
int flags) {
context.registerReceiver(receiver, filter, broadcastPermission, scheduler);
context.registerReceiver(receiver, filter, broadcastPermission, scheduler, flags);
}
}