Android Unrestricted Broadcast
ID |
kotlin.android_unrestricted_broadcast |
Severity |
critical |
Resource |
Access Control |
Language |
Kotlin |
Tags |
CWE:862, NIST.SP.800-53, PCI-DSS:6.5.6, PCI-DSS:6.5.8, android |
Description
Unrestricted broadcasts allow any app to receive sensitive information, posing security risks.
Rationale
Broadcasts in Android can be used for communication between applications. When broadcasts are sent without restrictions, any app can register to receive them, potentially leading to data leaks or unauthorized actions. This may include exposure of sensitive information or exploitation of broadcast-receiving vulnerabilities.
To secure broadcasts, they should be limited to specific receivers or protected with permissions to ensure only authorized applications can access or respond.
import android.content.Intent
import android.content.Context
fun sendUnrestrictedBroadcast(context: Context) {
val intent = Intent("com.example.SENSITIVE_ACTION")
context.sendBroadcast(intent) // FLAW: No permissions set
}Remediation
To protect sensitive broadcasts, specify permissions to restrict which applications can receive them. Use sendBroadcast(Intent, String) with the appropriate permission.
import android.content.Intent
import android.content.Context
fun sendRestrictedBroadcast(context: Context) {
val intent = Intent("com.example.SENSITIVE_ACTION")
// Secure: Broadcast restricted with a permission
context.sendBroadcast(intent, "com.example.SENSITIVE_PERMISSION")
}References
-
CWE-862 : Missing Authorization.