The Wayback Machine - https://web.archive.org/web/20241110095944/https://codeql.github.com/codeql-query-help/java/java-android-sensitive-result-receiver/
CodeQL documentation
CodeQL resources

Leaking sensitive information through a ResultReceiver

ID: java/android/sensitive-result-receiver
Kind: path-problem
Security severity: 8.2
Severity: error
Precision: medium
Tags:
   - security
   - external/cwe/cwe-927
Query suites:
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

If a ResultReceiver is obtained from an untrusted source, such as an Intent received by an exported component, do not send it sensitive data. Otherwise, the information may be leaked to a malicious application.

Recommendation

Do not send sensitive data to an untrusted ResultReceiver.

Example

In the following (bad) example, sensitive data is sent to an untrusted ResultReceiver.

// BAD: Sensitive data is sent to an untrusted result receiver 
void bad(String password) {
    Intent intent = getIntent();
    ResultReceiver rec = intent.getParcelableExtra("Receiver");
    Bundle b = new Bundle();
    b.putCharSequence("pass", password);
    rec.send(0, b); 
}

References

  • Common Weakness Enumeration: CWE-927.