I'm trying to address some security review items on an Android app that I'm working on, and I'm looking at some "high severity" items related to shortcuts.
The security review is purely a static code analysis effort, and a number of the items the report has highlighted have been red herrings. I suspect that these ones are, too, but I'm looking for a second opinion.
The areas of code / config that have been flagged relate to setting up a shortcut:
Intent shortcutIntent = new Intent(context, MyShortcutActivity.class);
shortcutIntent.setAction(Intent.ACTION_DEFAULT);
Intent addIntent = new Intent();
addIntent.putExtra(Intent.EXTRA_SHORTCUT_INTENT, shortcutIntent);
addIntent.putExtra(Intent.EXTRA_SHORTCUT_NAME, "My shortcut");
addIntent.putExtra(Intent.EXTRA_SHORTCUT_ICON_RESOURCE, getShortCutIconResource()));
addIntent.setAction("com.android.launcher.action.INSTALL_SHORTCUT");
addIntent.putExtra("duplicate", false);
this.context.sendBroadcast(addIntent);
The security report is complaining that I'm creating these intents with no permissions. But they're intents that are expected to invoked by the Android OS -- the OS creates the shortcut, and if the shortcut is clicked, the OS is launching MyShortcutActivity. So it doesn't feel to me like there's any special permission that's applicable.
The report is also flagging the definition of MyShortcutActivity:
<activity
android:name=".MyShortcutActivity"
...
android:exported="true">
<intent-filter>
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</activity>
again with a complaint that it's lacking a permission. But since it can be launched by a shortcut, I don't really see what permission is applicable.
Any suggestions?
UPDATE: So I'd already had the INSTALL_SHORTCUT permission in my manifest. Based on answers, here, I changed my code above, like so:
this.context.sendBroadcast(addIntent, Manifest.permission.INSTALL_SHORTCUT);
but that doesn't seem to work.
You need to add this permission to create a shortcut on the launcher menu :