Android make broadcast receiver secure

Question

I\'m trying to implement a \"secure\" broadcast receiver which only receives broadcasts from a specific app. This is because I want to make a plugin to my app which triggers act

Answer 1

Would it be secure to define a custom permission for that?

If both the app and the plugin are written by you, a custom permission with android:protectionLevel="signature" would seem to be the ideal solution for your problem. No apps will be able to send broadcasts to your receiver without holding that permission, which can only be held by apps signed by the same signing key. As a bonus, users do not have to agree to the permission at install time.

Pro tip: define the element in both the app and the plugin, so the install order of those two does not matter.

Note that custom permissions have a security flaw prior to Android 5.0, and that on Android 5.0+ no two apps can define the same permission unless they are signed by the same signing key.