Reputation: 6858
PendingIntent.getBroadcast() security concerns?
I was looking at the documentation for PendingIntent.getBroadcast(Context, int, Intent, int) and it mentions that...
For security reasons, the Intent you supply here should almost always be an explicit intent, that is specify an explicit component to be delivered to through Intent.setClass
What exactly are the security reasons? What makes explicit Intents more secure if other applications can still create one using only your package name and the component's name?
I've seen the report at NIST.gov about a PendingIntent-based security vulnerability that affected all of Android 4.x, where a malicious app could send Intents as the SYSTEM user. However, I'm not sure if the same concerns apply to my app.
If an Intent is handled by a BroadcastReceiver and the Intent isn't used to pass data (as extras, for example,) is there still a risk?
Upvotes: 3
Views: 1239
Answers (1)
Reputation: 1007359
My guess is that what they really meant was:
For security reasons, the Intent you supply here should almost always be an explicit
Intentpointing to a non-exported component, that is specify an explicit component to be delivered to through Intent.setClass
Your concern about "other applications can still create one using only your package name and the component's name" is only valid if the component is exported. For a BroadcastReceiver, it will be exported by default only if it has an <intent-filter> (or IntentFilter, if registering via registerReceiver()).
If an Intent is handled by a BroadcastReceiver and the Intent isn't used to pass data (as extras, for example,) is there still a risk?
Off the cuff, there are two risks with using implicit Intents:
On the sending side, anyone can respond to your broadcast. While you might think that the mere existence of the broadcast is not a privacy/security leak — and in your specific case, it might not be a leak — that is not universally true.
On the receiving side, if your component is exported (the default if it can handle an implicit
Intent), other parties could send you fake broadcasts, perhaps tricking you into doing something unfortunate.
Upvotes: 4
Related Questions
- Android 14 flag mutable
- Android keeps caching my intents Extras, how to declare a pending intent that keeps fresh extras?
- PendingIntent with FLAG_MUTABLE risk examples?
- Different between FLAG_CANCEL_CURRENT and FLAG_UPDATE_CURRENT when used in PendingIntent.getActivity?
- Can PendingIntent.FLAG_IMMUTABLE replace PendingIntent.FLAG_UPDATE_CURRENT?
- Your app contains an Implicit Internal Intent vulnerability
- Qark reports a PendingIntent security issue on java files: zzaup, zzst, zze, MediaButtonReceiver, TaskStackBuilder
- Explicit and Implicit intents
- Reliability of using a PendingIntent to store application state