I have a plugin for my app that is started with a BroadCast. I already managed to add a custom permission, so only apps with the permission can receive the broadcast.

However, I have no idea how to achieve the more important part: How can I check, if the sender has a custom permission, so only my main app can send the broadcast?

I know this is possible, but I don't know how to do it.

Thanks!

Try using:

Context ctx = ...;
int result = ctx.checkCallingPermission("your.permission.goes.here");
if (PackageManager.PERMISSION_GRANTED == result) {
    // Do your stuff here
}

in your broadcast receiver. Or declare the permission in your AndroidManifest.xml where you define your receiver.

<reciever android:name="your.receiver.goes.here"
    android:permission="your.permission.goes.here" />

I've tried using checkCallingPermission from within an AppWidgetProvider and although I've added to the AndroidManifest.xml:

...
    <permission android:permissionGroup="android.permission-group.PERSONAL_INFO"
      android:description="@string/receiveUpdates" android:protectionLevel="normal"
      android:label="@string/receiveStatusUpdates" android:name="my.prem.RCV_STATUS">
    </permission>

    <uses-permission android:name="my.prem.RCV_STATUS"/>
... 

In my widget, result is -1 (PackageManager.PERMISSION_DENIED).

public void onReceive(Context context, Intent intent) {
   ... // check that this is the Action I've been waiting for.
   int result = context.checkCallingPermission(my.prem.RCV_STATUS);
   ....
}

Clicking on the widget sends a PendingIntent to start a services which performs an AsyncTask, the postExecute of the AsyncTask sends the Intent I'm waiting for.

Thanks.