Description
Plugin
connectivity_plus: ^6.1.3
Use case
Hi Team, In one of security assessment tool we are facing an issue related to broadcast receiver method registerReceiver, please check logs for this.
{
"type": "java",
"context": {
"flags": [],
"source": {
"line": 58,
"name": "dev/fluttercommunity/plus/connectivity/ConnectivityBroadcastReceiver.java"
},
"signature": "Landroid/content/Context;,registerReceiver,(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)Landroid/content/Intent;",
"class_name": "android.content.Context",
"method_name": "registerReceiver"
}
}
Proposal
Ensure Receivers Are Not Exported:
For Apps Targeting Android 13 or Higher: When registering a receiver, set Context.RECEIVER_NOT_EXPORTED to ensure it is not accessible by external apps.
registerReceiver(receiver, intentFilter, null, handler, Context.RECEIVER_NOT_EXPORTED)
For Apps Targeting Android 12 or Lower: Use ContextCompat.RECEIVER_NOT_EXPORTED in the int flags of ContextCompat.registerReceiver(Context, BroadcastReceiver, IntentFilter, int) or ContextCompat.registerReceiver(Context, BroadcastReceiver, IntentFilter, String, Handler, int).
registerReceiver(receiver, intentFilter, null, handler, ContextCompat.RECEIVER_NOT_EXPORTED)