In Android applications, broadcasting intents is security-sensitive. For example, it has led in the past to the following vulnerability:
By default, broadcasted intents are visible to every application, exposing all sensitive information they contain.
This rule raises an issue when an intent is broadcasted without specifying any "receiver permission".
There is a risk if you answered yes to any of those questions.
Restrict the access to broadcasted intents. See Android documentation for more information.
import android.content.BroadcastReceiver; import android.content.Context; import android.content.Intent; import android.os.Build; import android.os.Bundle; import android.os.Handler; import android.os.UserHandle; import android.support.annotation.RequiresApi; public class MyIntentBroadcast { @RequiresApi(api = Build.VERSION_CODES.JELLY_BEAN_MR1) public void broadcast(Intent intent, Context context, UserHandle user, BroadcastReceiver resultReceiver, Handler scheduler, int initialCode, String initialData, Bundle initialExtras, String broadcastPermission) { context.sendBroadcast(intent); // Sensitive context.sendBroadcastAsUser(intent, user); // Sensitive // Broadcasting intent with "null" for receiverPermission context.sendBroadcast(intent, null); // Sensitive context.sendBroadcastAsUser(intent, user, null); // Sensitive context.sendOrderedBroadcast(intent, null); // Sensitive context.sendOrderedBroadcastAsUser(intent, user, null, resultReceiver, scheduler, initialCode, initialData, initialExtras); // Sensitive context.sendBroadcast(intent, broadcastPermission); // Ok context.sendBroadcastAsUser(intent, user, broadcastPermission); // Ok context.sendOrderedBroadcast(intent, broadcastPermission); // Ok context.sendOrderedBroadcastAsUser(intent, user,broadcastPermission, resultReceiver, scheduler, initialCode, initialData, initialExtras); // Ok } }