Android Missing Receiver Permission

kotlin.android_missing_receiver_permission

Severity

high

Resource

Access Control

Language

Kotlin

Description

Failure to specify a permission for broadcast receivers can expose your application to unwanted broadcasts, leading to security vulnerabilities.

Rationale

In Android, broadcast receivers allow applications to listen for and respond to broadcast messages from other applications. If no specific permission is set for a broadcast receiver, other applications, including potentially malicious ones, can send unauthorized broadcasts to your app. This can result in data manipulation, unauthorized actions, or denial-of-service conditions.

To prevent these risks, it is crucial to specify permissions that restrict which applications can send broadcasts to your receiver.

import android.content.BroadcastReceiver
import android.content.Context
import android.content.Intent

class MyReceiver : BroadcastReceiver() {
    override fun onReceive(context: Context?, intent: Intent?) {
        // Process the broadcast message
    }
}

// Example registration in code (without permission enforcement)
context.registerReceiver(MyReceiver(), IntentFilter("com.example.SOME_ACTION"))

Remediation

Ensure broadcast receivers are protected by specifying permissions, either in the manifest file or when registering programmatically. This limits broadcasts to your receiver from trusted sources only.

import android.content.BroadcastReceiver
import android.content.Context
import android.content.Intent
import android.content.IntentFilter

class MyReceiver : BroadcastReceiver() {
    override fun onReceive(context: Context?, intent: Intent?) {
        // Process the broadcast message
    }
}

// Example registration with permission
val filter = IntentFilter("com.example.SOME_ACTION")
context.registerReceiver(MyReceiver(), filter, "com.example.MY_PERMISSION", null)

References

CWE-927 : Use of Implicit Intent for Sensitive Communication.
Broadcasts Permissions