In Android applications, receiving intents is security-sensitive. For example, it has led in the past to the following vulnerability:
Once a receiver is registered, any app can broadcast potentially malicious intents to your application.
This rule raises an issue when a receiver is registered without specifying any "broadcast permission".
You may be at risk if you answered yes to any of those questions.
Restrict the access to broadcasted intents. See Android documentation for more information.
import android.content.BroadcastReceiver; import android.content.Context; import android.content.IntentFilter; import android.os.Build; import android.os.Handler; import android.support.annotation.RequiresApi; public class MyIntentReceiver { @RequiresApi(api = Build.VERSION_CODES.O) public void register(Context context, BroadcastReceiver receiver, IntentFilter filter, String broadcastPermission, Handler scheduler, int flags) { context.registerReceiver(receiver, filter); // Sensitive context.registerReceiver(receiver, filter, flags); // Sensitive // Broadcasting intent with "null" for broadcastPermission context.registerReceiver(receiver, filter, null, scheduler); // Sensitive context.registerReceiver(receiver, filter, null, scheduler, flags); // Sensitive context.registerReceiver(receiver, filter,broadcastPermission, scheduler); // OK context.registerReceiver(receiver, filter,broadcastPermission, scheduler, flags); // OK } }