Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5320

Broadcasting intents is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure that broadcasting intents is safe here
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      Kotlin
    • Covered Languages:
      Java
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-927
    • OWASP:
      A3
    • FindBugs:
      ANDROID_BROADCAST

      Description

      In Android applications, broadcasting intents is security-sensitive. For example, it has led in the past to the following vulnerability:

      By default, broadcasted intents are visible to every application, exposing all sensitive information they contain.

      This rule raises an issue when an intent is broadcasted without specifying any "receiver permission".

      Ask Yourself Whether

      • The intent contains sensitive information.
      • Intent reception is not restricted.

      You are at risk if you answered yes to all those questions.

      Recommended Secure Coding Practices

      Restrict the access to broadcasted intents. See Android documentation for more information.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5321 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                nicolas.harraudeau Nicolas Harraudeau
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: