In Android applications, receiving intents is security-sensitive. For example, it has led in the past to the following vulnerability:
Once a receiver is registered, any app can broadcast potentially malicious intents to your application.
This rule raises an issue when a receiver is registered without specifying any "broadcast permission".
There is a risk if you answered yes to any of those questions.
Restrict the access to broadcasted intents. See Android documentation for more information.
import android.content.BroadcastReceiver; import android.content.Context; import android.content.IntentFilter; import android.os.Build; import android.os.Handler; import android.support.annotation.RequiresApi; public class MyIntentReceiver { @RequiresApi(api = Build.VERSION_CODES.O) public void register(Context context, BroadcastReceiver receiver, IntentFilter filter, String broadcastPermission, Handler scheduler, int flags) { context.registerReceiver(receiver, filter); // Sensitive context.registerReceiver(receiver, filter, flags); // Sensitive // Broadcasting intent with "null" for broadcastPermission context.registerReceiver(receiver, filter, null, scheduler); // Sensitive context.registerReceiver(receiver, filter, null, scheduler, flags); // Sensitive context.registerReceiver(receiver, filter,broadcastPermission, scheduler); // OK context.registerReceiver(receiver, filter,broadcastPermission, scheduler, flags); // OK } }