Priority: Critical
OacpResultReceiver is registered with Context.RECEIVER_EXPORTED and the action string org.oacp.ACTION_RESULT has no permission protection. Any app on the device can craft an intent with that action and inject arbitrary result payloads into Hark's chat UI.
Impact
- A malicious app can forge result payloads that Hark trusts
sourcePackage field is taken from intent.package (sender-controlled, trivially spoofable)- The
RESULT JSON string flows directly to Dart without sender validation
Recommended fix
- Protect the broadcast with a custom signature-level permission
- Or validate the sender by checking SOURCE_PACKAGE against PackageManager to confirm the package actually exists and has an OACP provider
- At minimum, verify the REQUEST_ID matches a pending dispatched request
Files
android/app/src/main/kotlin/com/oacp/hark/OacpResultReceiver.kt (line 52-57)
Priority: Critical
OacpResultReceiveris registered withContext.RECEIVER_EXPORTEDand the action stringorg.oacp.ACTION_RESULThas no permission protection. Any app on the device can craft an intent with that action and inject arbitrary result payloads into Hark's chat UI.Impact
sourcePackagefield is taken fromintent.package(sender-controlled, trivially spoofable)RESULTJSON string flows directly to Dart without sender validationRecommended fix
Files
android/app/src/main/kotlin/com/oacp/hark/OacpResultReceiver.kt(line 52-57)