CWE-927: Use of Implicit Intent for Sensitive Communication
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The Android application uses an implicit intent for transmitting sensitive data to other applications.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
说明: Other applications, possibly untrusted, can read the data that is offered through the Intent.
影响范围: Integrity
技术影响: Varies by Context
说明: The application may handle responses from untrusted applications on the device, which could cause it to perform unexpected or unauthorized actions.
潜在缓解措施
阶段: Implementation
描述: If the application only requires communication with its own components, then the destination is always known, and an explicit intent could be used.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2022-4903
An Android application does not use FLAG_IMMUTABLE when creating a PendingIntent.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |