Restricting Android Broadcast Receiver from specific app

android broadcastreceiver android-permissions
14,104

The tag can also define what permission the broadcasters should have, see http://developer.android.com/guide/topics/manifest/receiver-element.html#prmsn

I means you can protected your receiver from unauthorized broadcasts by coding like this:

...
<permission android:name="com.yourapp.PERMISSION"
    android:protectionLevel="signature"
        android:label="@string/permission_label"
        android:description="@string/permission_desc">
</permission>
...

<receiver android:name=".MyReceiver"
    android:permission="com.yourapp.PERMISSION">
    <intent-filter>
        <action android:name="com.yourapp.ACTION" />
    </intent-filter>
</receiver>
...
Share:
14,104
user1012131
Author by

user1012131

Updated on June 05, 2022

Comments

  • user1012131
    user1012131 almost 2 years

    I have 2 applications.
    If I use service, I can set permission so only app1 can send intent to app2:
    Define permission in app2 (protection level: signature), and use that permission in app1.
    Service in app2 is protected by that permission.
    In this way, only app1 can send an intent to a service on app2, and no other app (unless my signature is leaked) can send intent to service on app2.

    Can I do the same with Broadcast Receiver?

    • app1: sendBroadcast(intent, permission)
    • app2: define permission, use that permission.

    To my understanding for using sendBroadcast(intent, permission), the application doesn't need to "use" the permission. Meaning ANY application can send intent to app2. Those permission parameters only checked against app2, to avoid other applications to receive this intent. (If I remove app2, and install fake app2 with the same permission string defined, fake app2 can get intent from app1, which is unexpected)

    BTW, If application define the permission and use it itself, the protectionLevel(signature) seems to have no meaning. Is this true?

    Now, I can set additional permission:

    • app1: Define permission, use that permission.
    • app2: Receiver restricted only for that permission.

    Again, if one removes app1, installs fake app1 with the very same permission, then fake app1 can send fake intent to app2. What can I do to prevent app2 from receiving fake intent?

    Thanks

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to detect Bluetooth state change using a broadcast receiver?
android - "Exported receiver does not require permission" on receivers meant to receive from system services
BroadcastReceiver SMS_Received not working on new devices
flutter location permission from integration test not working
Location permission declaration needs to be updated even after removed permission - App Content - Reject Google Play Console
Background location permission auto-added in Android with flutter location plugin
Read/write to Downloads folder denied after targeting Android SDK version 29
Flutter background location access
How do you use receiver (BroadcastReceiver) in a flutter plugin?
Flutter ImagePicker error "attribute android:requestLegacyExternalStorage not found"