VariantIncomplete

CWE-925Improper Verification of Intent by Broadcast Receiver

Category: other

Description

The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source. Certain types of Intents, identified by action string, can only be broadcast by the operating system itself, not by third-party applications. However, when an application registers to receive these implicit system intents, it is also registered to receive any explicit intents. While a malicious application cannot send an implicit system intent, it can send an explicit intent to the target application, which may assume that any received intent is a valid implicit system intent and not an explicit intent from another application. This may lead to unintended behavior.

Common consequences· 1

  • Integrity — Gain Privileges or Assume Identity
    Another application can impersonate the operating system and cause the software to perform an unintended action.

Potential mitigations· 1

  • [Architecture and Design]Before acting on the Intent, check the Intent Action to make sure it matches the expected System action.

Related CAPEC attack patterns· 1

CAPEC-499

References

  1. https://cwe.mitre.org/data/definitions/925.html

Exploits (incoming)1

TypeTargetConfidenceTier
AttackPatternAndroid Intent Interceptcapec-499100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Use of Implicit Intent for Sensitive Communication
CWE
Improper Export of Android Application Components
CWE
Improper Verification of Source of a Communication Channel
CWE
Improper Authorization in Handler for Custom URL Scheme
CVE
CVE-2025-32348
CWE
Incorrect Use of Privileged APIs
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.