Use of Implicit intent to send a broadcast with sensitive data
The com.insecureshop.AboutUsActivity contains the following code:
public final void onSendData(android.view.View view) {
kotlin.jvm.internal.Intrinsics.checkParameterIsNotNull(view, "view");
java.lang.String userName = com.insecureshop.util.Prefs.INSTANCE.getUsername();
if (userName == null) {
kotlin.jvm.internal.Intrinsics.throwNpe();
}
java.lang.String password = com.insecureshop.util.Prefs.INSTANCE.getPassword();
if (password == null) {
kotlin.jvm.internal.Intrinsics.throwNpe();
}
android.content.Intent intent = new android.content.Intent("com.insecureshop.action.BROADCAST");
intent.putExtra("username", userName);
intent.putExtra("password", password);
sendBroadcast(intent);
android.widget.TextView textView = (android.widget.TextView) _$_findCachedViewById(com.insecureshop.C0818R.id.textView);
kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(textView, "textView");
textView.setText("InsecureShop is an intentionally designed vulnerable android app built in Kotlin.");
}
}The above code defines an action com.insecureshop.action.BROADCAST and use implicit intent to send a broadcast containing username and password of the logged-in user.
Note (If you are exploiting this on Android version 7 and above):
On Android O, code like this no longer works the way that you expect:
sendBroadcast(new Intent("this.is.an.implicit.broadcast"));Normally, this broadcast would be received by all receivers that are registered for that custom action string. Even on O, two sets of receivers will still receive the broadcast:
Those whose apps have
targetSdkVersionof 25 or lowerThose that were registered via
registerReceiver()of some already-running process
To use Implicit Receivers in your application, you need to define them programmatically in your code, using registerReceiver().
Reference:
Last updated
Was this helpful?