Vulnerability Report - com.eypcnnapps.quickreboot v1.0.8
Summary:
In version 1.0.8 of 'com.eypcnnapps.quickreboot' for Android, there are exposed broadcast receivers, notably 'Recovery' and 'Reboot', which are susceptible to unauthorized broadcasts because of missing input validation. Malicious entities or any apps installed (even without special permissions) have the potential to exploit this vulnerability either remotely, using a specially crafted intent, or locally through the (Android Debug Bridge), posing a risk of Denial of Service attacks on user devices.
- App Name:
com.eypcnnapps.quickreboot - Version:
1.0.8
The application contains multiple exported broadcast receivers without proper permission checks.
Rebootbroadcast receiverRecoverybroadcast receiver
- Remote broadcast intent with specific action strings
The com.eypcnnapps.quickreboot application version 1.0.8 for Android has several exported broadcast receivers (SystemUI, Reboot, PowerOff, and Recovery).
While there is a check for specific action strings (e.g., myButtonStart in the PowerOff receiver), there are no evident permission checks, leaving potential for external broadcasts which might cause unintended behavior.
- For PowerOff:
Intent powerOffIntent = new Intent(); powerOffIntent.setComponent(new ComponentName("com.eypcnnapps.quickreboot", "com.eypcnnapps.quickreboot.widget.PowerOff")); powerOffIntent.setAction("myButtonStart"); sendBroadcast(powerOffIntent);
Recommendations: It's advisable to remove the exported="true" flag or implement appropriate permissions or input validation checks to ensure only legitimate broadcasts are processed.