Merge pull request #6599 from joefarebrother/android-sensitive-communication

Java: Promote android sensitive broadcast query
2025-12-21 19:26:31 +01:00 · 2021-10-26 13:48:58 +01:00
parent e5e1046c81 ba95d46ec3
commit 02b440b0ed
13 changed files with 238 additions and 241 deletions
--- a/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.java
+++ b/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.java
@@ -0,0 +1,30 @@
+public void sendBroadcast1(Context context, String token, String refreshToken) 
+{
+    {
+        // BAD: broadcast sensitive information to all listeners
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("token", token);
+        intent.putExtra("refreshToken", refreshToken);
+        context.sendBroadcast(intent);
+    }
+
+    {
+        // GOOD: broadcast sensitive information only to those with permission
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("token", token);
+        intent.putExtra("refreshToken", refreshToken);
+        context.sendBroadcast(intent, "com.example.user_permission");
+    }
+
+    {
+        // GOOD: broadcast sensitive information to a specific application
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.setClassName("com.example2", "com.example2.UserInfoHandler");
+        intent.putExtra("token", token);
+        intent.putExtra("refreshToken", refreshToken);
+        context.sendBroadcast(intent);
+    }
+}
--- a/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.qhelp
+++ b/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.qhelp
@@ -0,0 +1,48 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>When an implicit Intent is used with a method such as <code>startActivity</code>, <code>startService</code>, or <code>sendBroadcast</code>, it may be read by other applications on the device.</p>
+    <p>This means that sensitive data in these Intents may be leaked.</p>
+  </overview>
+
+  <recommendation>
+    <p> 
+      For <code>sendBroadcast</code> methods, a receiver permission may be specified so that only applications with a certain permission may receive the Intent; 
+      or a <code>LocalBroadcastManager</code> may be used.
+      Otherwise, ensure that Intents containing sensitive data have an explicit receiver class set.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>The following example shows two ways of broadcasting Intents. In the 'BAD' case, no "receiver permission" is specified. In the 'GOOD' case, "receiver permission" or "receiver application" is specified.</p>
+    <sample src="SensitiveCommunication.java" />
+  </example>
+
+  <references>
+    <li>
+      Android Developers:
+      <a href="https://developer.android.com/guide/components/broadcasts">Security considerations and best practices for sending and receiving broadcasts</a>
+    </li>
+    <li>
+      SonarSource:
+      <a href="https://rules.sonarsource.com/java/type/Security%20Hotspot/RSPEC-5320">Broadcasting intents is security-sensitive</a>
+    </li>
+    <li>
+      Android Developer Fundamentals:
+      <a href="https://google-developer-training.github.io/android-developer-fundamentals-course-concepts-v2/unit-3-working-in-the-background/lesson-7-background-tasks/7-3-c-broadcasts/7-3-c-broadcasts.html">Restricting broadcasts</a>
+    </li>
+    <li>
+      Carnegie Mellon University:
+      <a href="https://wiki.sei.cmu.edu/confluence/display/android/DRD03-J.+Do+not+broadcast+sensitive+information+using+an+implicit+intent">DRD03-J. Do not broadcast sensitive information using an implicit intent</a>
+    </li>
+    <li>
+      Android Developers:
+      <a href="https://developer.android.com/topic/libraries/architecture/livedata">Android LiveData Overview</a>
+    </li>
+    <li>
+      Oversecured: 
+      <a href="https://blog.oversecured.com/Interception-of-Android-implicit-intents/">Interception of Android implicit intents</a>
+    </li>
+  </references>
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql
+++ b/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Leaking sensitive information through an implicit Intent
+ * @description An Android application uses implicit Intents containing sensitive data
+ *              in a way that exposes it to arbitrary applications on the device.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 8.2
+ * @precision medium
+ * @id java/android/sensitive-communication
+ * @tags security
+ *       external/cwe/cwe-927
+ */
+
+import java
+import semmle.code.java.security.AndroidSensitiveCommunicationQuery
+import DataFlow::PathGraph
+
+from SensitiveCommunicationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This call may leak sensitive information from $@.",
+  source.getNode(), "here"