When an activity is initiated by another application using a broadcast intent, the data passed in the intent can be read by a malicious app.
When another application initiates activity by sending a broadcast intent, malicious apps can read the data included in the intent. The malicious app can also read a list of recent intents for an application. For example, if an app invokes and passes a URL to the Android web browser, an attacker could sniff that URL.
Do not pass sensitive data between apps using broadcast intents. Instead, use explicit intents.