Android supports Intents as the messages between components such as activities, services and broadcast receivers. An application can broadcast any messages through Intents to more than one application by using Context.sendBroadcast() API such as below;

            
Intent intent = new Intent();
intent.setAction("com.bankapp.ShowCCInfo");
intent.putExtra("CreditCard", creditcard);
sendBroadcast(intent);
                
            

Any other application that registers for receiving broadcasts, either in manifest file or in code, can intercept the sent credit card information.

It is wise to require READ and WRITE permissions for custom Content Providers for secure consumption. Here's an example;

                 
<provider android:authorities="com.bankapp.contentprovider.MyContentProvider"
android:exported="true"
android:grantUriPermissions="true"
android:name="com.bankapp.contentprovider.MyContentProvider"
android:readPermission="android.permission.permRead"
android:writePermission="android.permission.permWrite">
</provider>  
              
          

Also, data stored in a custom content provider, such as produced mail attachments, can be referenced by URIs included in Intents. When the recipient of these Intents, such as a mail client application for sending the attachment, doesn't contain the required privilege, the sender of the Intent can send temporary permissions to the target applications through Intent flags such as below;

                
Intent attachment = new Intent(Intent.ACTION_SEND);
attachment.setType(type);
attachment.setData(uri)
attachment.putExtra(Intent.EXTRA_STREAM, uri);
attachment.putExtra(Intent.EXTRA_SUBJECT, title);
attachment.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
sendBroadcast(attachment);
                 
           

If this Intent is broadcasted any malicious application registered to receive this Intent, will be able to see the sensitive attachment.