In Android applications, broadcasting intents is security-sensitive. For example, it has led in the past to the following vulnerability:

• CVE-2018-9489

By default, broadcasted intents are visible to every application, exposing all sensitive information they contain.

This rule raises an issue when an intent is broadcasted without specifying any "receiver permission".

Ask Yourself Whether

• The intent contains sensitive information.
• Intent reception is not restricted.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Restrict the access to broadcasted intents. See Android documentation for more information.

Sensitive Code Example

import android.content.BroadcastReceiver
import android.content.Context
import android.content.Intent
import android.os.Bundle
import android.os.Handler
import android.os.UserHandle

public class MyIntentBroadcast {
    fun broadcast(intent: Intent,
                  context: Context,
                  user: UserHandle,
                  resultReceiver: BroadcastReceiver,
                  scheduler: Handler,
                  initialCode: Int,
                  initialData: String,
                  initialExtras: Bundle,
                  broadcastPermission: String) {
        context.sendBroadcast(intent) // Sensitive
        context.sendBroadcastAsUser(intent, user) // Sensitive

        // Broadcasting intent with "null" for receiverPermission
        context.sendBroadcast(intent, null) // Sensitive
        context.sendBroadcastAsUser(intent, user, null) // Sensitive
        context.sendOrderedBroadcast(intent, null) // Sensitive
        context.sendOrderedBroadcastAsUser(intent, user, null, resultReceiver,
            scheduler, initialCode, initialData, initialExtras) // Sensitive
    }
}

Compliant Solution

import android.content.BroadcastReceiver
import android.content.Context
import android.content.Intent
import android.os.Bundle
import android.os.Handler
import android.os.UserHandle

public class MyIntentBroadcast {
    fun broadcast(intent: Intent,
                  context: Context,
                  user: UserHandle,
                  resultReceiver: BroadcastReceiver,
                  scheduler: Handler,
                  initialCode: Int,
                  initialData: String,
                  initialExtras: Bundle,
                  broadcastPermission: String) {

        context.sendBroadcast(intent, broadcastPermission)
        context.sendBroadcastAsUser(intent, user, broadcastPermission)
        context.sendOrderedBroadcast(intent, broadcastPermission)
        context.sendOrderedBroadcastAsUser(intent, user,broadcastPermission, resultReceiver,
            scheduler, initialCode, initialData, initialExtras)
    }
}

See

• OWASP Top 10 2021 Category A4 - Insecure Design
• Mobile AppSec Verification Standard - Platform Interaction Requirements
• OWASP Mobile Top 10 2016 Category M1 - Improper Platform Usage
• MITRE, CWE-927 - Use of Implicit Intent for Sensitive Communication
• Android documentation - Broadcast Overview - Security considerations and best practices