不安全的广播接收器
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
OWASP 类别: MASVS-PLATFORM:平台互动
概览
如果广播接收器实现不当,攻击者可能会发送恶意 intent,以便让易受攻击的应用执行不适用于外部调用方的操作。
此漏洞通常是指广播接收器无意中被导出的情形,这可能是通过在 AndroidManifest 中设置 android:exported="true"
或通过以编程方式创建广播接收器(默认情况下会使接收器处于公开状态)而导致的。如果接收器不包含任何 intent 过滤器,则默认值为 "false"
;如果接收器包含至少一个 intent 过滤器,则 android:exported 的默认值为 "true"
。
如果开发者不希望所有应用都调用有意导出的广播接收器,但未进行适当的访问权限控制,则该广播接收器可能会被滥用。
影响
攻击者可能会滥用不安全实现的广播接收器,在未经授权的情况下访问应用中开发者不打算向第三方公开的行为。
缓解措施
完全避免此问题
如需彻底解决此问题,请将 exported
设置为 false
:
<receiver android:name=".MyReceiver" android:exported="false">
<intent-filter>
<action android:name="com.example.myapp.MY_ACTION" />
</intent-filter>
</receiver>
使用调用和回调
如果您出于内部应用用途(例如事件完成通知)使用广播接收器,则可以重构代码,以改为传递会在事件完成后触发的回调。
事件完成监听器
Kotlin
interface EventCompletionListener {
fun onEventComplete(data: String)
}
Java
public interface EventCompletionListener {
public void onEventComplete(String data);
}
安全任务
Kotlin
class SecureTask(private val listener: EventCompletionListener?) {
fun executeTask() {
// Do some work...
// Notify that the event is complete
listener?.onEventComplete("Some secure data")
}
}
Java
public class SecureTask {
final private EventCompletionListener listener;
public SecureTask(EventCompletionListener listener) {
this.listener = listener;
}
public void executeTask() {
// Do some work...
// Notify that the event is complete
if (listener != null) {
listener.onEventComplete("Some secure data");
}
}
}
主 Activity
Kotlin
class MainActivity : AppCompatActivity(), EventCompletionListener {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
setContentView(R.layout.activity_main)
val secureTask = SecureTask(this)
secureTask.executeTask()
}
override fun onEventComplete(data: String) {
// Handle event completion securely
// ...
}
}
Java
public class MainActivity extends AppCompatActivity implements EventCompletionListener {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
SecureTask secureTask = new SecureTask(this);
secureTask.executeTask();
}
@Override
public void onEventComplete(String data) {
// Handle event completion securely
// ...
}
}
使用权限保护广播接收器
仅为受保护的广播(只有系统级应用才能发送的广播)或具有自行声明的签名级权限注册动态接收器。
资源
本页面上的内容和代码示例受内容许可部分所述许可的限制。Java 和 OpenJDK 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-26。
[null,null,["最后更新时间 (UTC):2025-07-26。"],[],[],null,["# Insecure broadcast receivers\n\n\u003cbr /\u003e\n\n**OWASP category:** [MASVS-PLATFORM: Platform Interaction](https://mas.owasp.org/MASVS/09-MASVS-PLATFORM)\n\nOverview\n--------\n\nImproperly implemented broadcast receivers can allow an attacker to send a\nmalicious intent to make the vulnerable application perform actions which are\nnot intended for external callers.\n\nThe vulnerability generally refers to instances where the broadcast receiver is\nunintentionally exported, either by setting [`android:exported=\"true\"`](/guide/topics/manifest/receiver-element#exported) in\nthe AndroidManifest or by creating a broadcast receiver programmatically which\nmakes the receiver public by default. If the receiver doesn't contain any intent\nfilters the default value is `\"false\"` but if the receiver contains at least one\nintent filter the default value of android:exported is `\"true\"`.\n\nIntentionally exported broadcast receivers without proper access control can be\nabused if the developer did not intend for it to be called by all applications.\n\nImpact\n------\n\nInsecurely implemented broadcast receivers can be abused by an attacker to gain\nunauthorized access to execute behavior in the application that the developer\ndid not mean to expose to third parties.\n\nMitigations\n-----------\n\n### Avoid the problem entirely\n\nTo resolve the dilemma entirely, set `exported` to `false`: \n\n \u003creceiver android:name=\".MyReceiver\" android:exported=\"false\"\u003e\n \u003cintent-filter\u003e\n \u003caction android:name=\"com.example.myapp.MY_ACTION\" /\u003e\n \u003c/intent-filter\u003e\n \u003c/receiver\u003e\n\n### Use calls and callbacks\n\nIn the case you used broadcast receivers for internal app purposes (ie. event\ncompletion notification), you can restructure your code to pass a callback that\nwould fire after event completion instead.\n\n###### Event completion listener\n\n### Kotlin\n\n interface EventCompletionListener {\n fun onEventComplete(data: String)\n }\n\n### Java\n\n public interface EventCompletionListener {\n public void onEventComplete(String data);\n }\n\n###### Secure task\n\n### Kotlin\n\n class SecureTask(private val listener: EventCompletionListener?) {\n fun executeTask() {\n // Do some work...\n\n // Notify that the event is complete\n listener?.onEventComplete(\"Some secure data\")\n }\n }\n\n### Java\n\n public class SecureTask {\n\n final private EventCompletionListener listener;\n\n public SecureTask(EventCompletionListener listener) {\n this.listener = listener;\n }\n\n public void executeTask() {\n // Do some work...\n\n // Notify that the event is complete\n if (listener != null) {\n listener.onEventComplete(\"Some secure data\");\n }\n }\n }\n\n###### Main activity\n\n### Kotlin\n\n class MainActivity : AppCompatActivity(), EventCompletionListener {\n override fun onCreate(savedInstanceState: Bundle?) {\n super.onCreate(savedInstanceState)\n setContentView(R.layout.activity_main)\n\n val secureTask = SecureTask(this)\n secureTask.executeTask()\n }\n\n override fun onEventComplete(data: String) {\n // Handle event completion securely\n // ...\n }\n }\n\n### Java\n\n public class MainActivity extends AppCompatActivity implements EventCompletionListener {\n\n @Override\n protected void onCreate(Bundle savedInstanceState) {\n super.onCreate(savedInstanceState);\n setContentView(R.layout.activity_main);\n\n SecureTask secureTask = new SecureTask(this);\n secureTask.executeTask();\n }\n\n @Override\n public void onEventComplete(String data) {\n // Handle event completion securely\n // ...\n }\n }\n\n### Secure broadcast receivers with permissions\n\nOnly register dynamic receivers for [protected broadcasts](/about/versions/12/reference/broadcast-intents-31) (broadcasts that\nonly system level applications can send) or with [self-declared signature level\npermissions](/guide/topics/manifest/permission-element#plevel).\n\nResources\n---------\n\n- [Exported Receiver Elements](/guide/topics/manifest/receiver-element#exported)\n- [Broadcast Receiver Permissions documentation](/guide/components/broadcasts#receiving-broadcasts-permissions)\n- [Protected Broadcast Intents](/about/versions/12/reference/broadcast-intents-31)"]]