Enabling "detectUnsafeIntentLaunch" in strictMode throws warning even for Implicit Intent with setPackage

Question

I have enabled detectUnsafeIntentLaunch in strict mode to test for change while targeting for android SDK 35 in my SDK. I have the following code where I send a broadcast and it is caught within the application .

code to send broadcast

context.sendBroadcast(new Intent("my_custom_action").putExtras(extras)
    .setPackage(context.getPackageName()));

code to register and receive the broadcast

IntentFilter filter = new IntentFilter();
filter.addAction("my_custom_action");
internalReceiver = new OpenedNotificationReceiver();

ContextCompat.registerReceiver(context, internalReceiver, filter, ContextCompat.RECEIVER_NOT_EXPORTED);

google recommends to mark setPackage on Implict Intents yet still throws warnings -> https://support.google.com/faqs/answer/10399926?hl=en

I have set the package as recommended; I am getting warning. Does anyone know how can I get rid of these warning or are they false positive?

StrictMode policy violation: android.os.strictmode.UnsafeIntentLaunchViolation: Launch of unsafe intent:

as the package is set to my own this should not throw any warning, i dont know which activity which will handle this as it part of the app but not my SDK code and I cannot add it as component and make it explicit as it might keep changing.

Answer 1

You will also get the UnsafeIntentLaunchViolation warning when an intent is launched with unfiltered extras copy. This change was introduced in this commit.

Originally the warning used to appear only for an unsafe implicit intent launch. The solution was to make the intent explicit by using setComponent() / setClass() / setPackage().

As you can see in the linked commit, you will also get the UnsafeIntentLaunchViolation warning, when an Intent is launched with potentially unfiltered data. This can occur when you copy the extras from one intent to another intent using putExtras(Intent)) or putExtras(Bundle).

Solution:

As suggested in the commit the solution is to replace the putExtras call with individual calls to putExtra to only include the items expected in the extras. And make sure you sanitize and validate the extras before copying them to the intent.

Full commit text:

Report UnsafeIntentLaunchViolation for unfiltered extras copy

Android 12 introduced a new StrictMode check to report an unsafe Intent launch; initially this was intended to warn developers when a launched Intent could potentially have originated from an external source. This commit updates this check to also report when an Intent is being launched with potentially unfiltered data; that is data that was copied without sanitation / validation from a parceled Intent or Bundle. When a violation is reported for unfiltered data the developer should replace the #putExtras call with individual calls to #putExtra to only include the items expected in the extras.

P.S.: I think it would be helpful if the warning message provided more details about why the Intent is flagged as unsafe.