DerScanner
Home / Vulnerability Database / Config files : Receiver without permissions
Config files

Config files : Receiver without permissions

Classification

OWASP Mobile Top 10 2014
M3-Insufficient Transport Layer ProtectionM8-Security Decisions Via Untrusted Inputs
OWASP Mobile Top 10 2016
M1-Improper Platform Usage
CWE
CWE-925CWE-926

Overview

The application registers a broadcast receiver without defining the requirements for the sender permissions.

The application will receive broadcast messages from any source, including malicious ones. This may lead to an application compromise.

BroadcastReceiver processes asynchronous requests initiated by Intent.

By default recipients are exported and can be called by any other application. If your BroadcastReceiver is intended for use by other applications, you can apply permissions to recipients using the <receiver> element in the application manifest. This will prevent sending intents from applications without proper permissions to BroadcastReceiver.

Improper Platform Usage vulnerabilities take the third place in the “OWASP Mobile Top 10 2016” mobile application vulnerabilities ranking. This category includes vulnerabilities related to platform’s permissions, misuse of TouchID, the Keychain and other security control elements that are part of the mobile operating system.

References

  1. OWASP Top 10 2013-A5-Security Misconfiguration
  2. Context - developer.android.com
  3. CWE-925
  4. Android application security
  5. Broadcasts overview
  6. several critical vulnerabilities in Odnoklassniki Android application
  7. Vulnerable exported broadcast receiver
MEDIUM

DerScanner Severity Score

Do you want to fix Config files : Receiver without permissions in your application?

See also

Config files

Config files : Text4Shell Vulnerability

Config files

Config files : Incorrect directory deletion

Config files

Config files : Code injection