broadcaster permission for android.net.conn.CONNECTIVITY_CHANGE

Question

I recently did a code scan on my Android source code using HPFortify service. They reported security vulnerability regarding one of the broadcast receivers. They suggested to use the broadcaster permission to reduce the attack vector. This way you are restricting broadcaster, otherwise any malicious application can send the intent and broadcast receiver will process it.

Here is a my actual code:

<receiver
    android:name="com.xyz.core.util.ConnectionChangeReceiver"
    android:label="NetworkConnection">
    <intent-filter>
       <action android:name="android.net.conn.CONNECTIVITY_CHANGE"/>
    </intent-filter>
</receiver>

HPfortify recommends that I should be using something like this:

<receiver
        android:name="com.xyz.core.util.ConnectionChangeReceiver"
        android:permission="SOME-PERMISSION"
        android:label="NetworkConnection">
        <intent-filter>
           <action android:name="android.net.conn.CONNECTIVITY_CHANGE"/>
        </intent-filter>
    </receiver>

I tried to look into the source code and documentation but I am not able to find the right broadcaster permission.

Answer 1

You can create your own permission, which makes it impossible to call your receiver unless the caller has the same permission. This is useful for cooperating applications.

Here is the description of the permission tag in the Android Manifest: http://developer.android.com/guide/topics/manifest/permission-element.html

What you can do is something like:

<permission
    android:name="com.xyz.permission.YOUR_PERMISSION"
    android:protectionLevel="normal" />

<uses-permission
    android:name="com.xyz.permission.YOUR_PERMISSION" />

<receiver
    android:name="com.xyz.core.util.ConnectionChangeReceiver"
    android:permission="com.xyz.permission.YOUR_PERMISSION"
    android:label="NetworkConnection">
    <intent-filter>
       <action android:name="android.net.conn.CONNECTIVITY_CHANGE"/>
    </intent-filter>
</receiver>