I recently did a code scan on my Android source code using HPFortify service. They reported security vulnerability regarding one of the broadcast receivers and sender. The broadcast sender and receiver are internal to the app and the intent is not sent outside the application. These are mainly used for internal communication. HPFortify suggested to use the broadcaster permission to reduce the attack vector. This way you are restricting broadcaster, otherwise any malicious application can send the intent and broadcast receiver will process it. Similarly they suggested to use the receiver permission so that the broadcasted intent is received by the intended receiver. This broadcaster and receiver are internal to the app and other app don't use this intent. Here is a my actual code for broadcaster:
Intent updatedIntent = new Intent("SOME-ACTION");
Context context = getAppContext();
context.sendBroadcast(updatedIntent);
I am dynamically registering the broadcast receiver using the following code snippet.
this.registerReceiver(updatedReceiver,
new IntentFilter("SOME-ACTION"));
HPFortify suggests that the the use the sendBroadcast with the permission string example:
Intent updatedIntent = new Intent("SOME-ACTION");
Context context = getAppContext();
context.sendBroadcast(updatedIntent, "SOME-PERMISSION");
Similarly for Broadcast receiver:
this.registerReceiver(updatedReceiver,
new IntentFilter("SOME-ACTION"),
"SOME-PERMISSION", null);
I am not sure how to define this permission and use it in the broadcaster and broadcast receiver. Do I need to define the private permission in the AndroidManifest.xml and use it here?
If you need to broadcast within application then use LocalBroadCastManager because local broadcast manager never send broadcast intent outside of the current process.
And if you want that other applications being able to receive or send your broadcasts then use BroadCastManager and you need to apply uses-permission (custom user permission ).
for more info please see below Android documentation for broadcast receiver they give detail information about security in security section.
http://developer.android.com/reference/android/content/BroadcastReceiver.html