Intent Manipulation: Implicit Pending Intent

Java/JSP

Abstract

偵測到隱含 PendingIntent。隱含 Pending Intent 可能會導致安全性弱點，例如 Denial of Service、私人和系統資訊洩漏以及提升特權。

Explanation

Android Intent 用於透過提供有關特定元件執行之動作的指令，將應用程式和應用程式元件繫結在一起。建立 Pending Intent 是為了稍後傳送 Intent。隱含 Intent 有助於從任何特定外部元件呼叫 Intent，並使用通用名稱和篩選器來確定執行。

將隱含 Intent 做為 PendingIntent 建立時，可能會導致 Intent 被傳送到在預期暫存內容外部執行的非預期元件，從而使系統容易受到諸如 Denial of Service、私人和系統資訊洩漏和提升特權等的攻擊。

範例 1：以下程式碼使用隱含 PendingIntent。


...
val imp_intent = Intent()
val flag_mut = PendingIntent.FLAG_MUTABLE
val pi_flagmutable_impintintent = PendingIntent.getService(
    this,
    0,
    imp_intent,
    flag_mut
)
...

References

[1] Remediation for Implicit PendingIntent Vulnerability

[2] Standards Mapping - Common Weakness Enumeration CWE ID 99

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[7] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[37] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[38] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.java.intent_manipulation_implicit_pending_intent