Android : Receiver without permissions

The application registers a broadcast receiver without defining the requirements for the sender permissions.

The application will receive broadcast messages from any source, including malicious ones. This may lead to an application compromise.

BroadcastReceiver processes asynchronous requests initiated by Intent.

By default recipients are exported and can be called by any other application. If your BroadcastReceiver is intended for use by other applications, you can apply permissions to recipients using the <receiver> element in the application manifest. This will prevent sending intents from applications without proper permissions to BroadcastReceiver.

Improper Platform Usage vulnerabilities take the third place in the “OWASP Mobile Top 10 2016” mobile application vulnerabilities ranking. This category includes vulnerabilities related to platform’s permissions, misuse of TouchID, the Keychain and other security control elements that are part of the mobile operating system.