[Intent Redirection vulnerability] in SmsBroadcastReceiver's onReceive() method

[rahulmitta1]

Context: I am currently getting an Intent Redirection warning for my app on google play store. So while I was checking plugins used in my app related to that issue.

---

Me: Is this code (SmsAutoFillPlugin.SmsBroadcastReceiver.onReceive()) method vulnerable to intent redirection?

ChatGPT:

Yes, this code is vulnerable to intent redirection.

Issue: Unverified Intent Source

• The code listens for SmsRetriever.SMS_RETRIEVED_ACTION but does not verify the sender of the intent.
• A malicious app running on the device could send a fake broadcast intent with spoofed extras to this receiver.
• The attacker could inject a fake SMS message that matches smsCodeRegexPattern and cause the plugin to process a manipulated verification code.

Exploitation Scenario

1. Malicious app sends a fake broadcast:

   Intent fakeIntent = new Intent(SmsRetriever.SMS_RETRIEVED_ACTION);
   fakeIntent.putExtra(SmsRetriever.EXTRA_STATUS, new Status(CommonStatusCodes.SUCCESS));
   fakeIntent.putExtra(SmsRetriever.EXTRA_SMS_MESSAGE, "Your OTP is 123456");
   context.sendBroadcast(fakeIntent);

2. Your receiver processes this as a legitimate message and sets the attacker's OTP.

Mitigation

1. Verify Intent Source

   • Check that the broadcast is sent by Google Play Services:

     String sender = intent.getPackage();
     if (!"com.google.android.gms".equals(sender)) {
         return;
     }

2. Use PendingIntents Instead

   • Instead of listening for global broadcasts, use PendingIntents to securely receive OTP.