13 lines
1.2 KiB
Plaintext
13 lines
1.2 KiB
Plaintext
Android applications can receive broadcasts from the system or other applications. Receiving intents is security-sensitive. For example, it has led in the past to the following vulnerabilities:
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1677[CVE-2019-1677]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1275[CVE-2015-1275]
|
|
|
|
Receivers can be declared in the manifest or in the code to make them context-specific. If the receiver is declared in the manifest Android will start the application if it is not already running once a matching broadcast is received. The receiver is an entry point into the application.
|
|
|
|
Other applications can send potentially malicious broadcasts, so it is important to consider broadcasts as untrusted and to limit the applications that can send broadcasts to the receiver.
|
|
|
|
Permissions can be specified to restrict broadcasts to authorized applications. Restrictions can be enforced by both the sender and receiver of a broadcast. If permissions are specified when registering a broadcast receiver, then only broadcasters who were granted this permission can send a message to the receiver.
|
|
|
|
This rule raises an issue when a receiver is registered without specifying any broadcast permission.
|