...
Automatic detection of the receipt of an intent is straightforward. It is not feasible to automatically determine whether appropriate checks are made of the caller's identity or whether appropriate permission requirements have been set in the manifest.
Bibliography
Related Vulnerabilities
- JVN#31860555
- twicca fails to restrict access permissions
- https://jvn.jp/en/jp/JVN31860555/
Related Guidelines
Android Secure Coding Guidebook by JSSEC | 4.1.1.1 Create and use private activity 4.1.3.1. The combination of exported flag and the intent-filter 4.1.3.2. Validate the caller of the activity |
Bibliography