Broadcasts

Apps can use broadcast receivers to receive & process intents from other apps(including system apps).

For ex: To know charger connected status, apps can listen to system broadcast with Intent.ACTION_POWER_CONNECTED.

Note that few broadcast intents such as Intent.ACTION_POWER_CONNECTED are protected, meaning only system can broadcast those messages, no other app can send those broadcasts.

Main difference between Broadcast receiver & Activity is broadcast receivers can listen to specific intent actions & process them in background instead of opening a UI screen in a activity.

Receivers Processing Untrusted Intents

Similar to Activities, vulnerable receivers might process untrusted intents broadcasted from attacker app.

Mitigation: Verify the broadcast sender source before processing the receivers.

Implicit Broadcasts

Apps can send broadcasts with implicit intents, thus making the broadcast interception possible by malicious apps with similar intent filters.

Note that, malicious app must dynamically register the receiver instead of simple AndroidManifest.xml registration due to Android Background Execution Limits.

Impact: Malicious app can receive sensitive data sent using implicit broadcast from Vulnerable app.

Mitigation: Do not send sensitive data in implicit broadcast, Use Explicit Broadcasts.

Broadcast Receiver sending Sensitive Intent Back to Broadcast Sender

Broadcast receiver can send sensitive data in intent to broadcast senders which are expecting some result from receivers similar to startActivityForResult as in Activities using sendOrderedBroadcast.

Impact: Malicious Broadcast sender can get sensitive data from vulnerable broadcast receivers.

Mitigation: Validate calling source before processing/sending sensitive data in intent.