In Android applications, receiving intents is security-sensitive. For example, it has led in the past to the following vulnerability:
Once a receiver is registered, any app can broadcast potentially malicious intents to your application.
This rule raises an issue when a receiver is registered without specifying any "broadcast permission".
There is a risk if you answered yes to any of those questions.
Restrict the access to broadcasted intents. See Android documentation for more information.
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.IntentFilter;
import android.os.Build;
import android.os.Handler;
import android.support.annotation.RequiresApi;
public class MyIntentReceiver {
@RequiresApi(api = Build.VERSION_CODES.O)
public void register(Context context, BroadcastReceiver receiver,
IntentFilter filter,
String broadcastPermission,
Handler scheduler,
int flags) {
context.registerReceiver(receiver, filter); // Sensitive
context.registerReceiver(receiver, filter, flags); // Sensitive
// Broadcasting intent with "null" for broadcastPermission
context.registerReceiver(receiver, filter, null, scheduler); // Sensitive
context.registerReceiver(receiver, filter, null, scheduler, flags); // Sensitive
context.registerReceiver(receiver, filter,broadcastPermission, scheduler); // OK
context.registerReceiver(receiver, filter,broadcastPermission, scheduler, flags); // OK
}
}