How to fix Unprotected SMS BroadcastReceiver lint warning

Question

My app needs to be able to receive SMS messages. It all works, but I get this lint warning:

BroadcastReceivers that declare an intent-filter for SMS_DELIVER or SMS_RECEIVED must ensure that the caller has the BROADCAST_SMS permission, otherwise it is possible for malicious actors to spoof intents.

How do I "ensure that the caller has the BROADCAST_SMS permission"?

In my manifest I have:

<uses-permission android:name="android.permission.RECEIVE_SMS" />
<application ...>
    <receiver
        android:name=".SmsReceiver"
        android:enabled="true"
        android:exported="true">
        <intent-filter android:priority="1000">
            <action android:name="android.provider.Telephony.SMS_RECEIVED" />
        </intent-filter>
    </receiver>
</application>

My code:

public class SmsReceiver extends BroadcastReceiver {
    public SmsReceiver() {}

    @Override
    public void onReceive(final Context context, final Intent intent) {

        final Bundle bundle = intent.getExtras();
        if (bundle != null) {
            final Object[] pdusObj = (Object[]) bundle.get("pdus");
            for (int i = 0; i < pdusObj.length; i++) {
                final SmsMessage currentMessage = SmsMessage.createFromPdu((byte[]) pdusObj[i]);
                // use currentMessage
            }
        }
    }
}

Answer 1

Add android:permission="android.permission.BROADCAST_SMS" to the opening <receiver> tag.

Also, components are enabled by default, and the <intent-filter> exports it, so you don't really need to explicitly include those attributes.

<receiver
    android:name=".SmsReceiver"
    android:permission="android.permission.BROADCAST_SMS">