CWE-927 – Use of Implicit Intent for Sensitive Communication

Read Time:33 Second

Description

The Android application uses an implicit intent for transmitting sensitive data to other applications.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-285
CWE-668

 

Consequences

Confidentiality: Read Application Data

Other applications, possibly untrusted, can read the data that is offered through the Intent.

Integrity: Varies by Context

The application may handle responses from untrusted applications on the device, which could cause it to perform unexpected or unauthorized actions.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

If the application only requires communication with its own components, then the destination is always known, and an explicit intent could be used.

CVE References