(Security Concern) Context Registered Broadcast Receivers Not Protected with Permissions

[chaseblu]

version: 1.0.0

Issue: NowSecure 3rd party security tool has flagged the use of unrestricted context-registered broadcast receivers
Evidence: com.cardinalcommerce is referenced in a heavily obfuscated stacktrace. This is the only library in my project that uses that dependency. If I remove this library from my project, the issue is gone.

P.S. I'm just going to dump the info NowSecure gave me below. It's bloated so feel free to ignore it entirely or at least be heavily annoyed when you read it 😅

Context Registered Broadcast Receivers Not Protected with Permissions

The app dynamically registers some unprotected broadcast receivers.

Broadcast receivers are an inter-process communication ingest mechanism, allowing apps to receive data in the form of intents coming from other apps. They can be statically declared in the Android Manifest or registered dynamically at runtime. The latter is known as Context-registered receivers, because their lifetime is bound to a given Context object in the app. For example, an Activity is a Context that may have broadcast receivers registered against it at runtime.

As with static receivers, dynamic ones can be exported, protected using permissions or using signature enforcement. If left unprotected, as is the case with this finding, third party apps can send data to these receivers.

The exact impact varies on case-by-case basis depending on how the app handles incoming broadcasts. Although many cases are harmless, commonly seen consequences for the affected apps are:

Performing unintended actions, perhaps on behalf of the user.

Displaying the incoming data to the user on behalf of the app for the purposes of phishing or social engineering, for example by loading a URL specified by the attacker into a WebView.

Exposing sensitive data, for example, by sending its own broadcast in response to the incoming one, or by writing it to a location accessible by other apps.

Steps To Reproduce
This test reverse engineers the application code and detects any context-registered broadcast receivers that have not been protected with permissions.

Business Impact
A malicious app installed on the device can attempt to send broadcast intents that trigger the unprotected broadcast receiver. These intents can modify the runtime of the app, making the app a potential phishing vector. If the sender app's broadcasts contain sensitive information, a malicious app may be able to perform intent sniffing, leaking sensitive data. Furthermore, a malicious app can register itself with high priority, if the broadcast is an ordered broadcast, to receive the broadcast first. If the malicious app is the first to receive the broadcast, it could cancel the broadcast causing a denial of service, or it could inject a malicious data into the broadcast.