Kingdom: Code Quality

Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.

Intent Manipulation: Implicit Pending Intent

Abstract
An implicit PendingIntent has been detected. Implicit pending intents might result in security vulnerabilities such as denial of service, private and system information leakage, and privilege escalation.
Explanation
Android Intents are used to bind applications and application components together by providing instruction on actions that a given component performs. Pending intents are created to deliver the Intent at a later time. Implicit intents facilitate the calling of intents from any given external component, using a general name and filter to determine execution.

When an implicit Intent is created as a PendingIntent, this might allow for the Intent to be sent to an unintended component that runs outside of the intended temporal context, leaving the system vulnerable to exploit vectors such as denial of service, private and system information leakage, and privilege escalation.

Example 1: The following code uses an implicit PendingIntent.


...
val imp_intent = Intent()
val flag_mut = PendingIntent.FLAG_MUTABLE
val pi_flagmutable_impintintent = PendingIntent.getService(
    this,
    0,
    imp_intent,
    flag_mut
)
...
References
[1] Remediation for Implicit PendingIntent Vulnerability
[2] Standards Mapping - Common Weakness Enumeration CWE ID 99
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[7] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[37] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[38] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.intent_manipulation_implicit_pending_intent