Android : Broadcast sender without permissions

The application sends a broadcast message without specifying the appropriate permissions for the receiving application.

Messages sent this way are available to any receiver. Valuable data contained in the message may be compromised.

Android uses broadcast messages for system events such as battery level, network connections, incoming calls, time zone changes, data connection status, incoming SMS messages or phone calls. Broadcast messages are also used to notify listeners of system or application events. Broadcast messages make the application more open. By passing events using messages, you open the components of your applications to third-party applications, and third-party developers respond to events without having to modify your original application.

Senders of intents can make sure that the recipient has permission, specifying a non-zero permission when calling the method. Only the application with this permission will receive the intent. If data in broadcast intents can be sensitive, you should consider applying permissions to ensure that malicious applications can not register to receive these messages without the appropriate permissions. In these circumstances, you can also consider calling the recipient directly without performing the mailing.

Improper Platform Usage vulnerabilities take the first place in the “OWASP Mobile Top 10 2016” mobile application vulnerabilities ranking.