Best IT Recipes

Android - “Exported receiver does not require permission” on receivers designed to receive from system services

I have some receivers declared in my AndroidManifest:

<!-- no warning --> <receiver android:name=".receivers.TriggerMonitoringBootReceiver" android:enabled="false"> <intent-filter> <action android:name="android.intent.action.BOOT_COMPLETED" /> </intent-filter> </receiver> <!-- no warning --> <receiver android:name=".receivers.ScanResultsReceiver" android:enabled="false"> <intent-filter> <action android:name="android.net.wifi.SCAN_RESULTS" /> </intent-filter> </receiver> <!-- warning : Exported receiver does not require permission--> <receiver android:name=".receivers.BatteryMonitoringReceiver" android:enabled="false"> <intent-filter> <action android:name="@string/intent_action_setup_alarm" /> <action android:name="@string/intent_action_cancel_alarm" /> <action android:name="@string/intent_action_monitor" /> </intent-filter> </receiver>

The first is for taking action BOOT_COMPLETED . The second is for receiving android.net.wifi.SCAN_RESULTS . The third one is for receiving some actions that I broadcast (intent_action_monitor), and some actions broadcast using AlarmManager (intent_action_setup_alarm, etc.).

Two questions:

  • Why don't I get a warning on all receivers?
  • What permissions do I need to set for receivers intended to receive from system services to correct a warning (I understand what I mean, and I do not want anyone to use my receivers in any case)? Will exported="false" do for boot receivers, Wi-Fi receivers, alarm receivers, etc.

    I was thinking about using custom permission with android:protectionLevel="signatureOrSystem" , but the docs advise both this level of protection and user permissions . So how should I deal with this warning?

Links to documents and / or some code will be highly appreciated.

+49
android android-permissions android-manifest android-broadcastreceiver broadcastreceiver
Apr 19 '13 at 19:48 on
source share
4 answers

Why am I not getting a warning on all recipients?

Because the first two are clearly designed to broadcast Android. The latter is unknown, partly because you did not specify the value of the string resource and, possibly, because these are your own unique action strings.

What permissions do I need to set for receivers designed to receive from system services to correct a warning

The correct solution is to remove the <intent-filter> . If you pass these Intents or if you wrap an Intent in getBroadcast() PendingIntent , you don't need action lines. Use the Intent constructor, which takes a Java class object as the second parameter and uses it:

 new Intent(this, BatteryMonitoringReceiver.class)

You can still attach the action line to the Intent if you want, but you can reset the <intent-filter> (the routing will be based on the supplied component, in this case the Java class).

Use only <intent-filter> when you expect the OS or third-party applications to start Intent themselves (the execution of the PendingIntent that you created is not taken into account).

+54
Apr 19 '13 at 19:54 on
source share

If you want to export the receiver to other processes, you can add your own permission to the android manifest file to avoid this warning, for example

 <permission android:name="com.yourpage.permission.YOUR_PERMISSION" android:protectionLevel="normal" /> <uses-permission android:name="com.yourpage.permission.YOUR_PERMISSION" /> <receiver <!-- warning : Exported receiver does not require permission--> android:name=".receivers.BatteryMonitoringReceiver" android:permission="com.yourpage.permission.YOUR_PERMISSION" android:enabled="false" > <intent-filter> <action android:name="@string/intent_action_setup_alarm" /> <action android:name="@string/intent_action_cancel_alarm" /> <action android:name="@string/intent_action_monitor" /> </intent-filter> </receiver>

for more information, you can refer to http://developer.android.com/training/articles/security-tips.html

+20
Jul 11 '13 at 15:23
source share

Warning "Exported receiver does not require permission . " You have a intent-filter with some action (which means that by default you have android:exported="true" , and now it can receive broadcasts from ANY broadcasters outside of your application ) Because it can receive broadcasts from ANY broadcasters outside of your application, he warns you, saying: "Hey, are you sure ANY broadcaster can call you? In my opinion, it is better if you allow only those broadcasters call you who has permission that you set for this receiver via android:permission"

You can remove this warning by adding android:exported="false" in the receiver tag

+15
Feb 19 '15 at 10:51
source share

If, like me, you are here because your application built with the previous version of the SDK has stopped working with newer versions and you would like to fix it with minimal changes, just add

Android: exported = false

to the receiver tag in the manifest file. CommonsWare's solution obviously applies to the long term, but it temporarily fixes the problem if you use custom intentions and don't want to export them.

Along the Lubo path, you will need to export this user permission, which will be requested by the user before installation. This means that the descriptive text for permission must be well written so that you do not frighten the user in order to change your mind about installing the application. In addition, it must be translated into all your target languages.

+3
Sep 11 '14 at 21:02
source share


More articles:


All Articles