ANDROID.LIFECYCLE.SV.GETEXTRA

Data coming from an external application is used without validation

This is an elevated privilege violation. When a broadcast receiver can be accessed outside the app, the user must sanitize any input that is stored in the extra data fields.

Vulnerability and risk

If the android:exported flag isn't provided or is false, the operating system won't allow external apps to access the receiver unless they are signed by the same key. If that flag is true, external users can send to the broadcast receiver (also service or activity).

Mitigation and prevention

Ensure that any calls to get*Extra() does some sanity check on the value returned before it is used.

Example

13
14
15
16
17
18
19
20
 BroadcastReceiver m_batteryReceiver = new BroadcastReceiver() {
   public void onReceive(Context arg0, Intent intent) {
     String s = intent.getStringExtra("url");
     Intent i = new Intent(Intent.ACTION_VIEW);
     i.setData(Uri.parse(s));
     startActivity(i);
   }
 };

ANDROID.LIFECYCLE.SV.GETEXTRA is reported for line 18: intent is coming from outside the application. Extra information is used then to start an activity.

Related checkers

• ANDROID.LIFECYCLE.SV.FRAGMENTINJ

External guidance

• CWE-20: Improper Input Validation
• OWASP A1:2017 Injection
• OWASP A3:2021 Injection