안전하지 않은 broadcast receiver
컬렉션을 사용해 정리하기
내 환경설정을 기준으로 콘텐츠를 저장하고 분류하세요.
OWASP 카테고리: MASVS-PLATFORM: 플랫폼 상호작용
개요
잘못 구현된 Broadcast receiver로 인해 공격자가 악의적인 인텐트를 전송하여 취약한 애플리케이션이 외부 호출자를 위한 것이 아닌 작업을 실행하도록 할 수 있습니다.
이 취약점은 일반적으로 AndroidManifest에서 android:exported="true"를 설정하거나 기본적으로 수신기를 공개로 만드는 broadcast receiver를 프로그래매틱 방식으로 만들어 broadcast receiver가 의도치 않게 내보내지는 경우를 말합니다. broadcast receiver에 인텐트 필터가 포함되어 있지 않으면 기본값은 "false"이지만 broadcast receiver에 인텐트 필터가 하나 이상 포함되어 있으면 android:exported의 기본값은 "true"입니다.
적절한 액세스 제어 없이 의도적으로 내보낸 Broadcast receiver는 개발자가 모든 애플리케이션에서 호출되도록 의도하지 않은 경우 악용될 수 있습니다.
영향
안전하지 않게 구현된 broadcast receiver는 공격자가 악용하여 개발자가 서드 파티에 노출할 의도가 없었던 애플리케이션에서 동작을 실행하기 위해 무단으로 액세스할 수 있습니다.
완화 조치
문제를 완전히 방지
이 문제를 완전히 해결하려면 exported를 false로 설정합니다.
<receiver android:name=".MyReceiver" android:exported="false">
<intent-filter>
<action android:name="com.example.myapp.MY_ACTION" />
</intent-filter>
</receiver>
호출 및 콜백 사용
내부 앱 목적으로 broadcast receiver를 사용한 경우 (예: 이벤트 완료 알림) 이벤트 완료 후에 실행되는 콜백을 전달하도록 코드를 재구성할 수 있습니다.
이벤트 완료 리스너
Kotlin
interface EventCompletionListener {
fun onEventComplete(data: String)
}
자바
public interface EventCompletionListener {
public void onEventComplete(String data);
}
보안 태스크
Kotlin
class SecureTask(private val listener: EventCompletionListener?) {
fun executeTask() {
// Do some work...
// Notify that the event is complete
listener?.onEventComplete("Some secure data")
}
}
자바
public class SecureTask {
final private EventCompletionListener listener;
public SecureTask(EventCompletionListener listener) {
this.listener = listener;
}
public void executeTask() {
// Do some work...
// Notify that the event is complete
if (listener != null) {
listener.onEventComplete("Some secure data");
}
}
}
기본 활동
Kotlin
class MainActivity : AppCompatActivity(), EventCompletionListener {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
setContentView(R.layout.activity_main)
val secureTask = SecureTask(this)
secureTask.executeTask()
}
override fun onEventComplete(data: String) {
// Handle event completion securely
// ...
}
}
자바
public class MainActivity extends AppCompatActivity implements EventCompletionListener {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
SecureTask secureTask = new SecureTask(this);
secureTask.executeTask();
}
@Override
public void onEventComplete(String data) {
// Handle event completion securely
// ...
}
}
권한으로 broadcast receiver 보호
보호된 브로드캐스트 (시스템 수준 애플리케이션만 보낼 수 있는 브로드캐스트) 또는 자체 선언된 서명 수준 권한에 대해서만 동적 수신기를 등록합니다.
리소스
이 페이지에 나와 있는 콘텐츠와 코드 샘플에는 콘텐츠 라이선스에서 설명하는 라이선스가 적용됩니다. 자바 및 OpenJDK는 Oracle 및 Oracle 계열사의 상표 또는 등록 상표입니다.
최종 업데이트: 2025-07-26(UTC)
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["필요한 정보가 없음","missingTheInformationINeed","thumb-down"],["너무 복잡함/단계 수가 너무 많음","tooComplicatedTooManySteps","thumb-down"],["오래됨","outOfDate","thumb-down"],["번역 문제","translationIssue","thumb-down"],["샘플/코드 문제","samplesCodeIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-07-26(UTC)"],[],[],null,["# Insecure broadcast receivers\n\n\u003cbr /\u003e\n\n**OWASP category:** [MASVS-PLATFORM: Platform Interaction](https://mas.owasp.org/MASVS/09-MASVS-PLATFORM)\n\nOverview\n--------\n\nImproperly implemented broadcast receivers can allow an attacker to send a\nmalicious intent to make the vulnerable application perform actions which are\nnot intended for external callers.\n\nThe vulnerability generally refers to instances where the broadcast receiver is\nunintentionally exported, either by setting [`android:exported=\"true\"`](/guide/topics/manifest/receiver-element#exported) in\nthe AndroidManifest or by creating a broadcast receiver programmatically which\nmakes the receiver public by default. If the receiver doesn't contain any intent\nfilters the default value is `\"false\"` but if the receiver contains at least one\nintent filter the default value of android:exported is `\"true\"`.\n\nIntentionally exported broadcast receivers without proper access control can be\nabused if the developer did not intend for it to be called by all applications.\n\nImpact\n------\n\nInsecurely implemented broadcast receivers can be abused by an attacker to gain\nunauthorized access to execute behavior in the application that the developer\ndid not mean to expose to third parties.\n\nMitigations\n-----------\n\n### Avoid the problem entirely\n\nTo resolve the dilemma entirely, set `exported` to `false`: \n\n \u003creceiver android:name=\".MyReceiver\" android:exported=\"false\"\u003e\n \u003cintent-filter\u003e\n \u003caction android:name=\"com.example.myapp.MY_ACTION\" /\u003e\n \u003c/intent-filter\u003e\n \u003c/receiver\u003e\n\n### Use calls and callbacks\n\nIn the case you used broadcast receivers for internal app purposes (ie. event\ncompletion notification), you can restructure your code to pass a callback that\nwould fire after event completion instead.\n\n###### Event completion listener\n\n### Kotlin\n\n interface EventCompletionListener {\n fun onEventComplete(data: String)\n }\n\n### Java\n\n public interface EventCompletionListener {\n public void onEventComplete(String data);\n }\n\n###### Secure task\n\n### Kotlin\n\n class SecureTask(private val listener: EventCompletionListener?) {\n fun executeTask() {\n // Do some work...\n\n // Notify that the event is complete\n listener?.onEventComplete(\"Some secure data\")\n }\n }\n\n### Java\n\n public class SecureTask {\n\n final private EventCompletionListener listener;\n\n public SecureTask(EventCompletionListener listener) {\n this.listener = listener;\n }\n\n public void executeTask() {\n // Do some work...\n\n // Notify that the event is complete\n if (listener != null) {\n listener.onEventComplete(\"Some secure data\");\n }\n }\n }\n\n###### Main activity\n\n### Kotlin\n\n class MainActivity : AppCompatActivity(), EventCompletionListener {\n override fun onCreate(savedInstanceState: Bundle?) {\n super.onCreate(savedInstanceState)\n setContentView(R.layout.activity_main)\n\n val secureTask = SecureTask(this)\n secureTask.executeTask()\n }\n\n override fun onEventComplete(data: String) {\n // Handle event completion securely\n // ...\n }\n }\n\n### Java\n\n public class MainActivity extends AppCompatActivity implements EventCompletionListener {\n\n @Override\n protected void onCreate(Bundle savedInstanceState) {\n super.onCreate(savedInstanceState);\n setContentView(R.layout.activity_main);\n\n SecureTask secureTask = new SecureTask(this);\n secureTask.executeTask();\n }\n\n @Override\n public void onEventComplete(String data) {\n // Handle event completion securely\n // ...\n }\n }\n\n### Secure broadcast receivers with permissions\n\nOnly register dynamic receivers for [protected broadcasts](/about/versions/12/reference/broadcast-intents-31) (broadcasts that\nonly system level applications can send) or with [self-declared signature level\npermissions](/guide/topics/manifest/permission-element#plevel).\n\nResources\n---------\n\n- [Exported Receiver Elements](/guide/topics/manifest/receiver-element#exported)\n- [Broadcast Receiver Permissions documentation](/guide/components/broadcasts#receiving-broadcasts-permissions)\n- [Protected Broadcast Intents](/about/versions/12/reference/broadcast-intents-31)"]]
