Unprotected Broadcasts in Android 9 and 10

Explore a critical vulnerability in Android versions 9, 10, and 11 Developer Preview that allowed unauthorized apps to send protected broadcast Intent messages. Delve into the systemic flaw that granted protection only to apps installed in specific file system locations, compromising the security of the Android operating system. Learn about the discovery process, the implications for system and privileged pre-installed apps, and the potential for malicious exploitation. Examine the vulnerability details, including the PackageManager Service in Android 10, and understand the exploitation workflow using examples like the QMMI app. Gain insights into the fix implemented to address this (un)protected broadcast vulnerability and its impact on Android security.

Intro
App Components Android apps are composed of app components
Who can send protected broadcasts?
Which app directories can ...?
PackageManager Service Android 10
PresencePolling app Overview Communication Services (RCS)
Perfdump app Vulnerability Details
QMMI app - Exploitation Workflow
The (un)protected broadcast fix