Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5322

Receiving intents is security-sensitive

    Details

    • Message:
      Make sure that intents are received safely here.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      Kotlin
    • Covered Languages:
      Java
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-925
    • OWASP:
      A1
    • SANS Top 25:
      Insecure Interaction Between Components

      Description

      In Android applications, receiving intents is security-sensitive. For example, it has led in the past to the following vulnerability:

      Once a receiver is registered, any app can broadcast potentially malicious intents to your application.

      This rule raises an issue when a receiver is registered without specifying any "broadcast permission".

      Ask Yourself Whether

      • The data extracted from intents is not sanitized.
      • Intents broadcast is not restricted.

      You may be at risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      Restrict the access to broadcasted intents. See Android documentation for more information.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5323 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                nicolas.harraudeau Nicolas Harraudeau
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: