Android make broadcast receiver secure

后端 未结 2 1715
逝去的感伤
逝去的感伤 2021-02-10 20:34

I\'m trying to implement a \"secure\" broadcast receiver which only receives broadcasts from a specific app. This is because I want to make a plugin to my app which triggers act

相关标签:
2条回答
  • 2021-02-10 21:12

    Define a custom permission in your manifest:

    <permission android:name="com.example.myapp.permission.NAME"
        android:protectionLevel="normal" />
    

    On your receiver, add permission attribute:

    <receiver android:name="MyReceiver" 
        android:permission="com.example.myapp.permission.NAME" />
    
    0 讨论(0)
  • 2021-02-10 21:26

    Would it be secure to define a custom permission for that?

    If both the app and the plugin are written by you, a custom permission with android:protectionLevel="signature" would seem to be the ideal solution for your problem. No apps will be able to send broadcasts to your receiver without holding that permission, which can only be held by apps signed by the same signing key. As a bonus, users do not have to agree to the permission at install time.

    Pro tip: define the <permission> element in both the app and the plugin, so the install order of those two does not matter.

    Note that custom permissions have a security flaw prior to Android 5.0, and that on Android 5.0+ no two apps can define the same permission unless they are signed by the same signing key.

    0 讨论(0)
提交回复
热议问题