What security issues might SendBroadcast cause and what is a better approach?

Question

And again I've got a question, which is again Android related. It's just for me to get more insight on the workings of sending broadcast.

What I would like to know is:

1. Why would one use the broadcast receiver over activities for result?
I thought the broadcast receiver would be more useful to handle actual device messages, than just for passing around intents in an app.

2. What kind of security issues could a developer encounter?
Am I right if I assume, that anyone that knows my package name (maybe through reverse engineering), could basically catch the sent intents and see the information passed with it?

3. What good is the LocalBroadcastManager if you want to pass objects to other activities?
I read that this might be better if you don't want the sent intents to leak outside the app. Does this also means that even if someone has the package name they still not can receive the broadcast outside the app?

If you think my questions are not complete or are based on flawed assumptions, please let me know, so I can learn from it. :)

Many thanks to all that can help.

Cheers,

Do

Answer 1

1) Broadcast Receivers are a mechanism to receive messages (intents) globally without having any UI. They are good to pass information between different components like Service, Activity or even BroadcastReceiver itself. They can be defined in manifest to listen specific action and do stuff (for e.g launching service/activity) even if your app is not running. However, in activityForResult, your app (activity) must be running in order to receive results, which may not be suitable all the times.

2) Yes, if your action string is known to other apps, then your broadcasts are exposed to any receiver which listens to those specific actions. To avoid this, use LocalBroadcastManager.

3) Using LocalBroadcastManager is the best way to increase privacy by ensuring that your broadcast will only be broadcasted and listened within your application's context. Other applications cant listen to such broadcasts as they are having their own context and unaware of your app's context.

As per google docs for LocalBroadcastManager:

• You know that the data you are broadcasting won't leave your app, so don't need to worry about leaking private data.
• It is not possible for other applications to send these broadcasts to your app, so you don't need to worry about having security holes they can exploit.
• It is more efficient than sending a global broadcast through the system

Final words: If you need to broadcast messages within your app and don't want to send them globally, then LocalBroadcastManager is the best choice. Otherwise go with the ordinary way