MASWE-0084: Unsafe Handling of Data from IPC

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Placeholder Weakness

This weakness hasn't been created yet and it's a placeholder. But you can check its status or start working on it yourself. If the issue has not yet been assigned, you can request to be assigned to it and submit a PR with the new content for that weakness by following our guidelines.

Check our GitHub Issues for MASWE-0084

Initial Description or Hints

e.g. received intents, broadcast receivers, URL validation, URL schemes, etc.

Relevant Topics

• The app does not validate or sanitize input received through inter-process communication channels (e.g., intents, content URIs, broadcast receivers), which may lead to injection or logic vulnerabilities when the data is used in sensitive operations (CWE-20).
• The app assumes that data received from other apps via IPC is trustworthy, without verifying its authenticity or origin (CWE-345).
• The app combines untrusted IPC data with trusted inputs or internal state, which may allow attackers to influence app behavior or corrupt logic flows (CWE-349).

MASTG v1 Coverage

• MASTG-TEST-0026 - Testing Implicit Intents (android)
• MASTG-TEST-0002 - Testing Local Storage for Input Validation (android)
• MASTG-TEST-0027 - Testing for URL Loading in WebViews (android)
• MASTG-TEST-0025 - Testing for Injection Flaws (android)