Restricting Android Broadcast Receiver from specific app
The tag can also define what permission the broadcasters should have, see http://developer.android.com/guide/topics/manifest/receiver-element.html#prmsn
I means you can protected your receiver from unauthorized broadcasts by coding like this:
...
<permission android:name="com.yourapp.PERMISSION"
android:protectionLevel="signature"
android:label="@string/permission_label"
android:description="@string/permission_desc">
</permission>
...
<receiver android:name=".MyReceiver"
android:permission="com.yourapp.PERMISSION">
<intent-filter>
<action android:name="com.yourapp.ACTION" />
</intent-filter>
</receiver>
...
user1012131
Updated on June 05, 2022Comments
-
user1012131 almost 2 years
I have 2 applications.
If I use service, I can set permission so onlyapp1
can send intent toapp2
:
Define permission inapp2
(protection level: signature
), and use that permission inapp1
.
Service inapp2
is protected by that permission.
In this way, onlyapp1
can send an intent to a service onapp2
, and no other app (unless my signature is leaked) can send intent to service onapp2
.Can I do the same with Broadcast Receiver?
- app1: sendBroadcast(intent, permission)
- app2: define permission, use that permission.
To my understanding for using sendBroadcast(intent, permission), the application doesn't need to "use" the permission. Meaning ANY application can send intent to
app2
. Those permission parameters only checked againstapp2
, to avoid other applications to receive this intent. (If I removeapp2
, and install fakeapp2
with the same permission string defined, fakeapp2
can get intent fromapp1
, which is unexpected)BTW, If application define the permission and use it itself, the protectionLevel(signature) seems to have no meaning. Is this true?
Now, I can set additional permission:
- app1: Define permission, use that permission.
- app2: Receiver restricted only for that permission.
Again, if one removes
app1
, installs fakeapp1
with the very same permission, then fakeapp1
can send fake intent toapp2
. What can I do to preventapp2
from receiving fake intent?Thanks