Restricting Android Broadcast Receiver from specif

2019-01-23 09:06发布

问题:

I have 2 applications.
If I use service, I can set permission so only app1 can send intent to app2:
Define permission in app2 (protection level: signature), and use that permission in app1.
Service in app2 is protected by that permission.
In this way, only app1 can send an intent to a service on app2, and no other app (unless my signature is leaked) can send intent to service on app2.

Can I do the same with Broadcast Receiver?

  • app1: sendBroadcast(intent, permission)
  • app2: define permission, use that permission.

To my understanding for using sendBroadcast(intent, permission), the application doesn't need to "use" the permission. Meaning ANY application can send intent to app2. Those permission parameters only checked against app2, to avoid other applications to receive this intent. (If I remove app2, and install fake app2 with the same permission string defined, fake app2 can get intent from app1, which is unexpected)

BTW, If application define the permission and use it itself, the protectionLevel(signature) seems to have no meaning. Is this true?

Now, I can set additional permission:

  • app1: Define permission, use that permission.
  • app2: Receiver restricted only for that permission.

Again, if one removes app1, installs fake app1 with the very same permission, then fake app1 can send fake intent to app2. What can I do to prevent app2 from receiving fake intent?

Thanks

回答1:

The tag can also define what permission the broadcasters should have, see http://developer.android.com/guide/topics/manifest/receiver-element.html#prmsn

I means you can protected your receiver from unauthorized broadcasts by coding like this:

...
<permission android:name="com.yourapp.PERMISSION"
    android:protectionLevel="signature"
        android:label="@string/permission_label"
        android:description="@string/permission_desc">
</permission>
...

<receiver android:name=".MyReceiver"
    android:permission="com.yourapp.PERMISSION">
    <intent-filter>
        <action android:name="com.yourapp.ACTION" />
    </intent-filter>
</receiver>
...