In Android applications, broadcasting intents is security-sensitive. For example, it has led in the past to the following vulnerability:
By default, broadcasted intents are visible to every application, exposing all sensitive information they contain.
This rule raises an issue when an intent is broadcasted without specifying any "receiver permission".
There is a risk if you answered yes to any of those questions.
Restrict the access to broadcasted intents. See Android documentation for more information.
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.os.Build;
import android.os.Bundle;
import android.os.Handler;
import android.os.UserHandle;
import android.support.annotation.RequiresApi;
public class MyIntentBroadcast {
@RequiresApi(api = Build.VERSION_CODES.JELLY_BEAN_MR1)
public void broadcast(Intent intent, Context context, UserHandle user,
BroadcastReceiver resultReceiver, Handler scheduler, int initialCode,
String initialData, Bundle initialExtras,
String broadcastPermission) {
context.sendBroadcast(intent); // Sensitive
context.sendBroadcastAsUser(intent, user); // Sensitive
// Broadcasting intent with "null" for receiverPermission
context.sendBroadcast(intent, null); // Sensitive
context.sendBroadcastAsUser(intent, user, null); // Sensitive
context.sendOrderedBroadcast(intent, null); // Sensitive
context.sendOrderedBroadcastAsUser(intent, user, null, resultReceiver,
scheduler, initialCode, initialData, initialExtras); // Sensitive
context.sendBroadcast(intent, broadcastPermission); // Ok
context.sendBroadcastAsUser(intent, user, broadcastPermission); // Ok
context.sendOrderedBroadcast(intent, broadcastPermission); // Ok
context.sendOrderedBroadcastAsUser(intent, user,broadcastPermission, resultReceiver,
scheduler, initialCode, initialData, initialExtras); // Ok
}
}