CWE-925
Improper Verification of Intent by Broadcast Receiver
The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.
Mitigation
Phase: Architecture and Design
Description:
- Before acting on the Intent, check the Intent Action to make sure it matches the expected System action.
CAPEC-499: Android Intent Intercept
An adversary, through a previously installed malicious application, intercepts messages from a trusted Android-based application in an attempt to achieve a variety of different objectives including denial of service, information disclosure, and data injection. An implicit intent sent from a trusted application can be received by any application that has declared an appropriate intent filter. If the intent is not protected by a permission that the malicious application lacks, then the attacker can gain access to the data contained within the intent. Further, the intent can be either blocked from reaching the intended destination, or modified and potentially forwarded along.