Due to the security model in Android, I am trying to use user permissions with a broadcast receiver.
WHAT I DID :
I declared user permission for the recipient, thereby limiting the broadcasts that it can receive. Some code from the manifest:
<permission android:name="abc"/> <receiver android:name=".UpdateUserReceiver" android:permission="abc" android:enabled="true" android:exported="false"> <intent-filter> <action android:name="android.intent.action.ACTION_UPDATE_USERNAME"/> <category android:name="android.intent.category.DEFAULT"/> </intent-filter> </receiver>
Now I expect that the receiver of UpdateUserReceiver will only receive translations from components that use the "abc" permission.
Broadcast Sending Code:
// Update username. Invoke broadcast. Intent updateUserBroadcast = new Intent(); updateUserBroadcast.putExtra("username", userName); updateUserBroadcast.setAction("android.intent.action.ACTION_UPDATE_USERNAME"); sendBroadcast(updateUserBroadcast);
Activity that broadcasts:
<activity android:name=".UpdateUserNameActivity"> <intent-filter> <action android:name="com.intent.action.UPDATE_USERNAME"/> <category android:name="android.intent.category.DEFAULT"/> </intent-filter> </activity>
Question 1: As you can see, the action never uses the permission that the recipient announced so that he can receive the broadcast from this activity. But still, the receiver is being called, and I suspect it is due to the use of implicit intentions, although I'm not sure. Any ideas?
Question 2: What is the difference between the permission tag declared at the application level and the android tag: permission inside the recipient? I understand the use of the second, which provides permission, before anyone can expect the receiver to receive the broadcast, but then why the first is required. It is necessary for this scenario or it can be deleted. In any case, I checked that the receiver is broadcasting.