Android Sticky Broadcast
ID |
kotlin.android_sticky_broadcast |
Severity |
critical |
Resource |
Access Control |
Language |
Kotlin |
Tags |
CWE:927, NIST.SP.800-53, PCI-DSS:6.5.6, PCI-DSS:6.5.8, android |
Description
The use of Android sticky broadcasts is discouraged due to security and performance concerns.
Rationale
Sticky broadcasts in Android are used to send a broadcast that will persist after being sent, so any future receivers can immediately get the data. An issue arises because they can expose shared, mutable data and do not enforce any security. This can lead to data leaks or unreliable data reads, as anyone with access can modify the broadcast.
import android.content.Intent
import android.content.Context
fun sendStickyBroadcast(context: Context) {
val intent = Intent("com.example.SOME_ACTION")
context.sendStickyBroadcast(intent)
}Remediation
Avoid using sticky broadcasts. Instead, consider using more secure and modern components such as LiveData or WorkManager for data persistence and distribution.
You can refactor your code to use local broadcasts through LocalBroadcastManager, which does not allow sticky broadcasts but provides a safer way to communicate within an app.
import android.content.Intent
import android.content.Context
fun sendStickyBroadcast(context: Context) {
val intent = Intent("com.example.SOME_ACTION")
context.sendStickyBroadcast(intent)
}References
-
CWE-927 : Use of Implicit Intent for Sensitive Communication.
-
Sticky Broadcasts: Sticky Broadcast Security Guide.