When an implicit Intent is used with a method such as startActivity, startService, or sendBroadcast, it may be read by other applications on the device.

This means that sensitive data in these Intents may be leaked.

For sendBroadcast methods, a receiver permission may be specified so that only applications with a certain permission may receive the Intent; or a LocalBroadcastManager may be used. Otherwise, ensure that Intents containing sensitive data have an explicit receiver class set.

The following example shows two ways of broadcasting Intents. In the 'BAD' case, no "receiver permission" is specified. In the 'GOOD' case, "receiver permission" or "receiver application" is specified.

Android Developers: Security considerations and best practices for sending and receiving broadcasts

SonarSource: Broadcasting intents is security-sensitive

Android Developer Fundamentals: Restricting broadcasts

Carnegie Mellon University: DRD03-J. Do not broadcast sensitive information using an implicit intent

Android Developers: Android LiveData Overview

Oversecured: Interception of Android implicit intents