MASTG-TEST-0366: Exported And Unprotected Broadcast Receivers That Expose Sensitive Functionality
Overview¶
If an exported receiver does not define android:permission with a proper protection level and performs or grants access to sensitive functionality, another third-party app outside the intended trust boundary can send a broadcast to it and invoke that functionality. See Android Broadcast Receivers for details on broadcast receivers, App Permissions for permissions and protection levels, and Inter-Process Communication (IPC) Mechanisms for the IPC model of Android.
This test checks whether the app exposes sensitive functionality through exported and unprotected broadcast receivers.
Steps¶
- Use Reverse Engineering Android Apps to reverse engineer the app.
- Use Obtaining Information from the AndroidManifest to obtain the AndroidManifest.xml.
- Use Enumerating Broadcast Receivers to list the exported broadcast receivers and their associated
android:permission, including context-registered receivers found in the code. - Use Static Analysis on Android to inspect the
onReceiveimplementation of each exported receiver.
Observation¶
The output should contain a list of exported broadcast receivers and the relevant parts of their onReceive implementation, including how they use data from the received intent and any permission they require.
Evaluation¶
The test case fails if any exported broadcast receiver is not protected by an appropriate android:permission that restricts which apps can send broadcasts to it and exposes or performs sensitive functionality, for example by performing a security-relevant action or disclosing sensitive data when it receives a broadcast.
Further Validation Required:
Inspect each exported broadcast receiver using Reviewing Decompiled Java Code to determine whether it exposes sensitive functionality:
- Determine whether
onReceiveperforms a security-relevant action or discloses sensitive data based on the received intent (for example, reading extras and using them to send a message or change state). - Determine whether the receiver validates the data it reads from the intent before acting on it.
Then determine whether external access to the receiver is appropriately restricted for the functionality it exposes and the app's intended trust boundary:
- Determine whether the receiver has a legitimate reason to accept broadcasts from third-party apps. If it doesn't, it shouldn't be exported.
- If external access is required, determine whether the receiver is protected by an appropriate
android:permissionor an equivalent access control. Appropriate means the control matches the sensitivity of the receiver action and the set of apps that should be allowed to send broadcasts to it. - Verify that the permission is effective for that trust boundary, for example by using a
signatureprotection level or another control that is not broadly grantable to untrusted apps. - Determine whether context-registered receivers are registered with
RECEIVER_NOT_EXPORTEDwhen they don't need to receive broadcasts from other apps.
Best Practices¶
MASTG-BEST-0052: Restrict Access to Android App Components