Search code examples
androidbroadcastreceiverintentserviceandroid-intentservicelocalbroadcastmanager

LocalBroadcastManager and possible security related issues

Here is how I am planning to do things:

I have my Activity in which I register a BroadcastReceiver

private LocalBroadcastManager localBroadcastManager;
private BroadcastReceiver broadcastReceiver = new BroadcastReceiver() {
        @Override
        public void onReceive(Context context, Intent intent) {
        //handle received data
        }
}

@Override
protected void onCreate(Bundle savedInstanceState) {
    ....
    LocalBroadcastManager = LocalBroadcastManager.getInstance(context);
    IntentFilter intentFilter = new IntentFilter();
    intentFilter.addAction(ACTIVITY);
    localBroadcastManager.registerReceiver(broadcastReceiver, intentFilter);
}

I have an IntentService which fetches data from the web and processes it. During downloading data and on processing completion the service notifies the activity about what it is doing, by sending broadcast messages. Downloading data and processing could take a while, depending on the size of the data. Could take up to 20 minutes for instance.

   localBroadcastManager.sendBroadcast(new Intent(ACTIVITY).putExtra(ACTION, value));

The similar approach is used for the activity to send messages to the IntentService, by registering a receiver within onStartCommand of the service.

This is tested and works fine. I've read about the global BroadcastManager and also about the LocalBroadcastManager and I have my concerns related to security of this approach. Keep in mind that my needs are strictly related to communication between a service and an activity, in both ways, using mainly parcelable objects.

My questions are:

  1. What security issues could arise by sending the data from the service to activity using LocalBroadcastManager? Are there any situations where the data may leak to another app? Is LocalBroadcast really local? The processed data is private and that is why I have my concerns.

  2. Is there a more optimal way of communication between service and activity?

Solution
    1. As the documentation says:

    This has a number of advantages over sending global broadcasts with sendBroadcast(Intent):

    You know that the data you are broadcasting won't leave your app, so don't need to worry about leaking private data.

    It is not possible for other applications to send these broadcasts to your app, so you don't need to worry about having security holes they can exploit.

    It is more efficient than sending a global broadcast through the system.

    1. There is a more advanced way to do a connection between services and activities: Service Binding (Check also the Additional notes!)

    With intents you are restricted to use Bundle to pass data between activity and service, with binding, it is not the case.