Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Android make broadcast receiver secure

Tags:

android

security

I'm trying to implement a "secure" broadcast receiver which only receives broadcasts from a specific app. This is because I want to make a plugin to my app which triggers actions via broadcasts. As this actions are (partly) sensible it would be nice to check if the sender is really my application. As far as I have seen it's impossible to check the sender package?? Would it be secure to define a custom permission for that? If yes, how can I do this? What other possibilities are there to achieve this?

Thanks in advance!

like image 280
Fleckdalm Avatar asked Apr 12 '13 17:04

Fleckdalm

People also ask

How do I protect my broadcast on Android?

To prevent arbitrary processes from sending sensitive broadcast Intents, Android allows the declaration of sensitive broadcast actions as “protected” by using the 'protected-broadcast' element in an authorized app's AndroidManifest. xml file.

Is broadcast receiver deprecated in Android?

What does saving battery have to do with BroadcastReceivers? With Android Nougat, the support for registering three different implicit BroadcastReceivers in your AndroidManifest was removed. With apps targeting Android O, all implicit BroadcastReceivers registered in the manifest (except these) will stop working.

Why do we use broadcast receiver in Android?

Broadcast in android is the system-wide events that can occur when the device starts, when a message is received on the device or when incoming calls are received, or when a device goes to airplane mode, etc. Broadcast Receivers are used to respond to these system-wide events.

1 Answers

Would it be secure to define a custom permission for that?

If both the app and the plugin are written by you, a custom permission with android:protectionLevel="signature" would seem to be the ideal solution for your problem. No apps will be able to send broadcasts to your receiver without holding that permission, which can only be held by apps signed by the same signing key. As a bonus, users do not have to agree to the permission at install time.

Pro tip: define the <permission> element in both the app and the plugin, so the install order of those two does not matter.

Note that custom permissions have a security flaw prior to Android 5.0, and that on Android 5.0+ no two apps can define the same permission unless they are signed by the same signing key.

like image 77
CommonsWare Avatar answered Sep 20 '22 06:09

CommonsWare
Sign in to Comment

Related questions

How to simulate home, back, menu, search, task and volume buttons?
SeekBar Thumb position issue
How to set Header , Scrollable content and Footer? in Android
Droid: How to reorder a linearlayouts contents programmatically?
Unsupported action error on click of email link
Hiding app title bar in Android pager
NullpointerException when calling getSystemService(Context.LOCATION_SERVICE) and onLocationChanged not called
NullPointerException android.support.v4.app.FragmentManagerImpl.saveFragmentBasicState
Device claims external storage, yet I have no SD card
Cannot start/launch Android emulator in the AVD [duplicate]
FragmentTabHost & Fragments - How do I pass data between tabs?
java.lang.OutOfMemoryError Even in a try-catch block?
Keyboard appear automatically on Nexus7 version 4.2
EditText Loses Focus on Click
Programmatically styling Android's CheckBox
How to animate on finish() via ActivityOptions in Android?
Remove the background of a textview
SQLite Trigger Expression For Deleting Rows
Border on the left side of the button only
How to get this Context in a static method

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!