Use of Implicit Intent for Sensitive Communication

Incomplete Variant

Structure: Simple

Description

This vulnerability occurs when an Android app uses an implicit intent to send sensitive data, allowing any other app on the device to potentially intercept and read that information.

Extended Description

Implicit intents are a security risk because they don't specify a single recipient app. Instead, they broadcast data to any application that declares it can handle that type of intent. This means a malicious app with a matching intent filter can eavesdrop on sensitive communications, such as authentication tokens or personal data. The risk is amplified by two specific broadcast types: ordered broadcasts, where a high-priority malicious receiver can block or alter the data mid-chain, and sticky broadcasts, which persist data in the system long after the initial send, increasing the window for exposure. Furthermore, intents can grant temporary URI permissions, giving the receiver access to files or content the sender app protects. A malicious interceptor gains those same privileges, leading to unauthorized data access. Identifying and fixing every instance of this pattern in a large codebase is challenging. An ASPM platform like Plexicus can automatically detect these flaws via SAST, and its AI-powered remediation can suggest the specific code changes—like switching to explicit intents or protected broadcasts—saving significant manual review time.

Common Consequences 2

Scope: Confidentiality

Impact: Read Application Data

Other applications, possibly untrusted, can read the data that is offered through the Intent.

Scope: Integrity

Impact: Varies by Context

The application may handle responses from untrusted applications on the device, which could cause it to perform unexpected or unauthorized actions.

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 1

Phase: Implementation

If the application only requires communication with its own components, then the destination is always known, and an explicit intent could be used.

Demonstrative Examples 4

This application wants to create a user account in several trusted applications using one broadcast intent:

Code Example:Bad
Java
java

This application assumes only the trusted applications will be listening for the action. A malicious application can register for this action and intercept the user's login information, as below:

Code Example:Attack
Java
java

When a broadcast contains sensitive information, create an allowlist of applications that can receive the action using the application's manifest file, or programmatically send the intent to each individual intended receiver.

This application interfaces with a web service that requires a separate user login. It creates a sticky intent, so that future trusted applications that also use the web service will know who the current user is:

Code Example:Bad
Java
java

Code Example:Attack
Java
java

Sticky broadcasts can be read by any application at any time, and so should never contain sensitive information such as a username.

This application is sending an ordered broadcast, asking other applications to open a URL:

Code Example:Bad
Java
java

Any application in the broadcast chain may alter the data within the intent. This malicious application is altering the URL to point to an attack site:

Code Example:Attack
Java
java

The final receiving application will then open the attack URL. Where possible, send intents to specific trusted applications instead of using a broadcast chain.

ID : DX-108

This application sends a special intent with a flag that allows the receiving application to read a data file for backup purposes.

Code Example:Bad
Java
java

Code Example:Attack
Java
java

Any malicious application can register to receive this intent. Because of the FLAG_GRANT_READ_URI_PERMISSION included with the intent, the malicious receiver code can read the user's data.

Observed Examples 1

CVE-2022-4903An Android application does not use FLAG_IMMUTABLE when creating a PendingIntent.

References 2

Analyzing Inter-Application Communication in Android

Erika Chin, Adrienne Porter Felt, Kate Greenwood, and David Wagner

http://www.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf

ID: REF-922

Security Tips

Android Open Source Project

16-07-2013

https://developer.android.com/training/articles/security-tips#ContentProviders(2023-04-07)

ID: REF-923

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

Mobile : Undetermined

Modes of Introduction

Architecture and Design

Related Weaknesses

ChildOf:

Improper Authorization (CWE-285)

ChildOf:

Exposure of Resource to Wrong Sphere (CWE-668)