[Request]: Context Registered Broadcast Receivers Not Protected with Permissions

[swati-spec]

Plugin

connectivity_plus: ^6.1.3

Use case

Hi Team, In one of security assessment tool we are facing an issue related to broadcast receiver method registerReceiver, please check logs for this.

{ "type": "java", "context": { "flags": [], "source": { "line": 58, "name": "dev/fluttercommunity/plus/connectivity/ConnectivityBroadcastReceiver.java" }, "signature": "Landroid/content/Context;,registerReceiver,(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)Landroid/content/Intent;", "class_name": "android.content.Context", "method_name": "registerReceiver" } }

Proposal

Ensure Receivers Are Not Exported:

For Apps Targeting Android 13 or Higher: When registering a receiver, set Context.RECEIVER_NOT_EXPORTED to ensure it is not accessible by external apps.

registerReceiver(receiver, intentFilter, null, handler, Context.RECEIVER_NOT_EXPORTED)

For Apps Targeting Android 12 or Lower: Use ContextCompat.RECEIVER_NOT_EXPORTED in the int flags of ContextCompat.registerReceiver(Context, BroadcastReceiver, IntentFilter, int) or ContextCompat.registerReceiver(Context, BroadcastReceiver, IntentFilter, String, Handler, int).

registerReceiver(receiver, intentFilter, null, handler, ContextCompat.RECEIVER_NOT_EXPORTED)