• CodeQL query help documentation »
• CodeQL query help for Java and Kotlin »

Leaking sensitive information through an implicit Intent

ID: java/android/sensitive-communication
Kind: path-problem
Security severity: 8.2
Severity: warning
Precision: medium
Tags:
   - security
   - external/cwe/cwe-927
Query suites:
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

When an implicit Intent is used with a method such as startActivity, startService, or sendBroadcast, it may be read by other applications on the device.

This means that sensitive data in these Intents may be leaked.

Recommendation

For sendBroadcast methods, a receiver permission may be specified so that only applications with a certain permission may receive the Intent; or a LocalBroadcastManager may be used. Otherwise, ensure that Intents containing sensitive data have an explicit receiver class set.

Example

The following example shows two ways of broadcasting Intents. In the ‘BAD’ case, no “receiver permission” is specified. In the ‘GOOD’ case, “receiver permission” or “receiver application” is specified.

public void sendBroadcast1(Context context, String token, String refreshToken) 
{
    {
        // BAD: broadcast sensitive information to all listeners
        Intent intent = new Intent();
        intent.setAction("com.example.custom_action");
        intent.putExtra("token", token);
        intent.putExtra("refreshToken", refreshToken);
        context.sendBroadcast(intent);
    }

    {
        // GOOD: broadcast sensitive information only to those with permission
        Intent intent = new Intent();
        intent.setAction("com.example.custom_action");
        intent.putExtra("token", token);
        intent.putExtra("refreshToken", refreshToken);
        context.sendBroadcast(intent, "com.example.user_permission");
    }

    {
        // GOOD: broadcast sensitive information to a specific application
        Intent intent = new Intent();
        intent.setAction("com.example.custom_action");
        intent.setClassName("com.example2", "com.example2.UserInfoHandler");
        intent.putExtra("token", token);
        intent.putExtra("refreshToken", refreshToken);
        context.sendBroadcast(intent);
    }
}

References

• Android Developers: Security considerations and best practices for sending and receiving broadcasts

• SonarSource: Broadcasting intents is security-sensitive

• Android Developer Fundamentals: Restricting broadcasts

• Carnegie Mellon University: DRD03-J. Do not broadcast sensitive information using an implicit intent

• Android Developers: Android LiveData Overview

• Oversecured: Interception of Android implicit intents

• Common Weakness Enumeration: CWE-927.

• © GitHub, Inc.
• Terms
• Privacy