Leaking sensitive information through a ResultReceiver¶

ID: java/android/sensitive-result-receiver
Kind: path-problem
Security severity: 8.2
Severity: error
Precision: medium
Tags:
   - security
   - external/cwe/cwe-927
Query suites:
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

If a ResultReceiver is obtained from an untrusted source, such as an Intent received by an exported component, do not send it sensitive data. Otherwise, the information may be leaked to a malicious application.

Recommendation¶

Do not send sensitive data to an untrusted ResultReceiver.

Example¶

In the following (bad) example, sensitive data is sent to an untrusted ResultReceiver.

// BAD: Sensitive data is sent to an untrusted result receiver 
void bad(String password) {
    Intent intent = getIntent();
    ResultReceiver rec = intent.getParcelableExtra("Receiver");
    Bundle b = new Bundle();
    b.putCharSequence("pass", password);
    rec.send(0, b); 
}

References¶

Common Weakness Enumeration: CWE-927.

© GitHub, Inc.
Terms
Privacy

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies:

Alternative Proxy