Data coming from an external application is used without validation

This is an elevated privilege violation. When a broadcast receiver can be accessed outside the app, the user must sanitize any input that is stored in the extra data fields.

Vulnerability and risk

If the android:exported flag isn't provided or is false, the operating system won't allow external apps to access the receiver unless they are signed by the same key. If that flag is true, external users can send to the broadcast receiver (also service or activity).

Mitigation and prevention

Ensure that any calls to get*Extra() does some sanity check on the value returned before it is used.


13 BroadcastReceiver m_batteryReceiver = new BroadcastReceiver() {
14   public void onReceive(Context arg0, Intent intent) {
15     String s = intent.getStringExtra("url");
16     Intent i = new Intent(Intent.ACTION_VIEW);
17     i.setData(Uri.parse(s));
18     startActivity(i);
19   }
20 };

ANDROID.LIFECYCLE.SV.GETEXTRA is reported for line 18: intent is coming from outside the application. Extra information is used then to start an activity.