[Request]: Context Registered Broadcast Receivers Not Protected with Permissions
Plugin
connectivity_plus: ^6.1.3
Use case
Hi Team, In one of security assessment tool we are facing an issue related to broadcast receiver method registerReceiver, please check logs for this.
{ "type": "java", "context": { "flags": [], "source": { "line": 58, "name": "dev/fluttercommunity/plus/connectivity/ConnectivityBroadcastReceiver.java" }, "signature": "Landroid/content/Context;,registerReceiver,(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)Landroid/content/Intent;", "class_name": "android.content.Context", "method_name": "registerReceiver" } }
Proposal
Ensure Receivers Are Not Exported:
For Apps Targeting Android 13 or Higher: When registering a receiver, set Context.RECEIVER_NOT_EXPORTED to ensure it is not accessible by external apps.
registerReceiver(receiver, intentFilter, null, handler, Context.RECEIVER_NOT_EXPORTED)
For Apps Targeting Android 12 or Lower: Use ContextCompat.RECEIVER_NOT_EXPORTED in the int flags of ContextCompat.registerReceiver(Context, BroadcastReceiver, IntentFilter, int) or ContextCompat.registerReceiver(Context, BroadcastReceiver, IntentFilter, String, Handler, int).
registerReceiver(receiver, intentFilter, null, handler, ContextCompat.RECEIVER_NOT_EXPORTED)