PendingIntent.getBroadcast() security concerns?

Question

I was looking at the documentation for PendingIntent.getBroadcast(Context, int, Intent, int) and it mentions that...

For security reasons, the Intent you supply here should almost always be an explicit intent, that is specify an explicit component to be delivered to through Intent.setClass

What exactly are the security reasons? What makes explicit Intents more secure if other applications can still create one using only your package name and the component's name?

I've seen the report at NIST.gov about a PendingIntent-based security vulnerability that affected all of Android 4.x, where a malicious app could send Intents as the SYSTEM user. However, I'm not sure if the same concerns apply to my app.

If an Intent is handled by a BroadcastReceiver and the Intent isn't used to pass data (as extras, for example,) is there still a risk?

Answer 1

My guess is that what they really meant was:

For security reasons, the Intent you supply here should almost always be an explicit Intent pointing to a non-exported component, that is specify an explicit component to be delivered to through Intent.setClass

Your concern about "other applications can still create one using only your package name and the component's name" is only valid if the component is exported. For a BroadcastReceiver, it will be exported by default only if it has an <intent-filter> (or IntentFilter, if registering via registerReceiver()).

If an Intent is handled by a BroadcastReceiver and the Intent isn't used to pass data (as extras, for example,) is there still a risk?

Off the cuff, there are two risks with using implicit Intents:

1. On the sending side, anyone can respond to your broadcast. While you might think that the mere existence of the broadcast is not a privacy/security leak — and in your specific case, it might not be a leak — that is not universally true.

2. On the receiving side, if your component is exported (the default if it can handle an implicit Intent), other parties could send you fake broadcasts, perhaps tricking you into doing something unfortunate.