In Android applications, receiving intents is security-sensitive. For example, it has led in the past to the following vulnerability:

Once a receiver is registered, any app can broadcast potentially malicious intents to your application.

This rule raises an issue when a receiver is registered without specifying any "broadcast permission".

Ask Yourself Whether

You may be at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Restrict the access to broadcasted intents. See Android documentation for more information.

Sensitive Code Example

import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.IntentFilter;
import android.os.Build;
import android.os.Handler;
import android.support.annotation.RequiresApi;

public class MyIntentReceiver {

    @RequiresApi(api = Build.VERSION_CODES.O)
    public void register(Context context, BroadcastReceiver receiver,
                         IntentFilter filter,
                         String broadcastPermission,
                         Handler scheduler,
                         int flags) {
        context.registerReceiver(receiver, filter); // Sensitive
        context.registerReceiver(receiver, filter, flags); // Sensitive

        // Broadcasting intent with "null" for broadcastPermission
        context.registerReceiver(receiver, filter, null, scheduler); // Sensitive
        context.registerReceiver(receiver, filter, null, scheduler, flags); // Sensitive


        context.registerReceiver(receiver, filter,broadcastPermission, scheduler); // OK
        context.registerReceiver(receiver, filter,broadcastPermission, scheduler, flags); // OK
    }
}

See