Android Apk Unprotected Exported Receivers

Description

Identifies Android broadcast receivers that are exported (accessible to other apps) without proper protection mechanisms like permissions. Unprotected exported receivers can allow malicious apps to send broadcasts that trigger unauthorized actions or access sensitive functionality.

Weakness:

346 - Excessive privileges - Mobile App

Category: Access Subversion

Detection Strategy

• Scans the AndroidManifest.xml file for <receiver> components

• Checks if receivers are marked as exported (either explicitly with android:exported="true" or implicitly through intent filters)

• Verifies if exported receivers lack protection mechanisms like android:permission attributes

• Considers the target SDK version since it affects default export behavior

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.