[Request]: Context Registered Broadcast Receivers Not Protected with Permissions #3488
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Plugin
connectivity_plus: ^6.1.3
Use case
Hi Team, In one of security assessment tool we are facing an issue related to broadcast receiver method registerReceiver, please check logs for this.
{
"type": "java",
"context": {
"flags": [],
"source": {
"line": 58,
"name": "dev/fluttercommunity/plus/connectivity/ConnectivityBroadcastReceiver.java"
},
"signature": "Landroid/content/Context;,registerReceiver,(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)Landroid/content/Intent;",
"class_name": "android.content.Context",
"method_name": "registerReceiver"
}
}
Proposal
Ensure Receivers Are Not Exported:
For Apps Targeting Android 13 or Higher: When registering a receiver, set Context.RECEIVER_NOT_EXPORTED to ensure it is not accessible by external apps.
registerReceiver(receiver, intentFilter, null, handler, Context.RECEIVER_NOT_EXPORTED)
For Apps Targeting Android 12 or Lower: Use ContextCompat.RECEIVER_NOT_EXPORTED in the int flags of ContextCompat.registerReceiver(Context, BroadcastReceiver, IntentFilter, int) or ContextCompat.registerReceiver(Context, BroadcastReceiver, IntentFilter, String, Handler, int).
registerReceiver(receiver, intentFilter, null, handler, ContextCompat.RECEIVER_NOT_EXPORTED)
The text was updated successfully, but these errors were encountered: