Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Android: are context-registered broadcast receivers exported?

Tags:

android

broadcastreceiver

android-broadcast

If I register a broadcast receiver say in my activity like this,

@Override
protected void onResume() {
    super.onResume();

    myReceiver = new BroadcastReceiver() { ... };
    IntentFilter filter = new IntentFilter("com.example.MY_ACTION");
    registerReceiver(myReceiver, filter);
}

Is this receiver exported? if another app broadcasts com.example.MY_ACTION, will it be received by myReceiver?

If it is, I assume I need to use the form of registerReceiver() that accepts a string permission, and then define that permission in my manifest, giving it a high protection level (such as signature). Is that correct? Is there a simpler way?

like image 231
Jeffrey Blattman Avatar asked Jul 26 '12 17:07

Jeffrey Blattman

2 Answers

To spare others the work and for my own archiving purposes: Yes, context-registered receivers are exported by default.

There doesn't seem to be a lot of documentation but you can validate this quickly by running a separate app sending a custom broadcast. I tested this on APIs 16-29, the broadcast will be received and so every package will be able to send to your receiver (which can be a security flaw).

To solve the issue without using local broadcasts (should be used wherever possible) you are on the right track in defining a custom permission and restricting broadcasts to apps that have requested that permission. For the sake of completeness:

Define and use a custom permission in the manifest:

<permission android:name="com.example.bcrtest.BROADCAST_PERMISSION"
    android:protectionLevel="signature"/>
<uses-permission android:name="com.example.bcrtest.BROADCAST_PERMISSION" />

Register receiver with permission:

registerReceiver(mReceiver, new IntentFilter(MY_INTENT_ACTION), "com.example.bcrtest.BROADCAST_PERMISSION", null );
like image 164
MattSchmatt Avatar answered Oct 19 '22 01:10

MattSchmatt

From the api docs on the BroadcastReceiver API:

If you don't need to send broadcasts across applications, consider using this class with LocalBroadcastManager instead of the more general facilities described below. This will give you a much more efficient implementation (no cross-process communication needed) and allow you to avoid thinking about any security issues related to other applications being able to receive or send your broadcasts.

That way at least you can keep the receiver only inside your application.

like image 25
Kaediil Avatar answered Oct 19 '22 01:10

Kaediil
Sign in to Comment

Related questions

java.lang.RuntimeException: Fail to get camera info
Android & Facebook SDK : decoding pictures from /me/picture graph call
GoogleAuthUtil.getToken returns invalid authentication code
Android SeekBarChangeListener and TouchListener No Events
Android MVP: safe use Context in Presenter
Should I do `Thread.currentThread().interrupt()` before `throw new InterruptedIOException()`?
overridePendingTransition in a fragment
FCM returns error : NotRegistered after the first message
ClickListener in PagerAdapter fires on wrong position
Android ANR - Input dispatching timed out
Can I customize the firebase OTP digits (default 6 to 4)?
Build FFmpeg for All Android architecture correctly
Using TreeTranslator to rename functions not working for Kotlin
Android - Outgoing transactions from this process must be FLAG_ONEWAY
Getting KeyStoreException and GeneralSecurityException by using EncryptedSharedPreferences, how can I solve those?
adb over Wi-Fi (Android 11+) on Windows: how to keep a fixed port or connect automatically?
Android - Custom App Themes that are freely available [closed]
Android Facebook SSO for server side authentication
How to access Letter Recognizer API in Android?
Android camera preview: 1:1 aspect ratio, how?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!