Securing Broadcast Receivers

Access to Broadcast Receivers can be controlled in two ways:

  1. The sender of a broadcast Intent can restrict which Broadcast Receivers can receive it.

  2. A Broadcast Receiver can restrict which components are able to send a broadcast Intent to it.

Thus we are able to control both the sending and receiving of broadcasts.

Controlling who can receive a broadcast

The sender of a broadcast Intent can control which Broadcast Receivers are able to receive the broadcast by passing, in addition to the intent itself, a permission to the sendBroadcast() method.

Only Broadcast Receivers in apps that have requested, and been granted that permission, are able to receive the broadcast Intent. As already noted earlier, sendBroadcast() does not throw a SecurityException as permissions are checked when the broadcast Intent is delivered.

Controlling who’s broadcasts we receive

A Broadcast Receiver can control which components are able to send broadcast Intents to it in one of two ways. If the Broadcast Receiver is registered in the app’s AndroidManifest.xml file, then setting a permission using the android:permission attribute in the <receiver> element, will restrict access to the Broadcast Receiver to only those apps that have requested and been granted that permission.

For dynamically registered Broadcast Receivers, the required permission can be passed as an argument to the registerReceiver() method.

Share this article:

This article is from the free online course:

Secure Android App Development

University of Southampton