Receiving broadcast from notification on Android Oreo

Question

I have a custom button in a sticky notification.
I used to attach a PendingIntent to it for receiving button clicks:

Intent intent = new I         


        

Answer 1

I ran into this issue as well on Android 8 - Oreo, but given my library project requirements, I don't have the explicitly named BroadcastReceiver class implementation, that the end-client will declare in it's AndroidManifest.

Solution:

Specify the application package on the Intent using setPackage(String).

Example:

// Application unique intent action String
final String receiverAction = getApplicationContext().getPackageName() 
                             + BaseLibraryReceiver.ACTION_SUFFIX;
// No need for Class definition in the constructor.
Intent intent = new Intent(); 
// Set the unique action.
intent.setAction(receiverAction);
// Set the application package name on the Intent, so only the application
// will have this Intent broadcasted, thus making it “explicit" and secure.
intent.setPackage(getApplicationContext().getPackageName());
...

From the Android Broadcasts: Security considerations and best practices docs.

In Android 4.0 and higher, you can specify a package with setPackage(String) when sending a broadcast. The system restricts the broadcast to the set of apps that match the package.

Here’s an example of the BroadcastReceiver declared (or merged) in to the end-client application’s AndroidManifest:

Since my example revolves around a library project that broadcasts an Intent, I’ve decided to keep the and in the declaration. Otherwise, there would be non-unique broadcast actions being fired, which could lead to potential issues where multiple applications receive the wrong broadcast. This is mostly a safety precaution. Of course you still need to check the action in the implementation of the BroadcastReceiver.

Hope someone finds this helpful!