setPackage for intent in gingerbread

Asked 21/2, 2012 at 0:43 Answered 10/3, 2012 at 9:16

Alternatively, starting with ICE_CREAM_SANDWICH, you can also safely restrict the broadcast to a single application with Intent.setPackage

Is there any way in Gingerbread (using the compatibility library perhaps) to restrict a sendBroadcat() event such that it only sends it to a specified package?

Petropavlovsk answered 21/2, 2012 at 0:43 Comment(0)

My first suggestion would be to use LocalBroadcastManager if at all possible. This allows you to completely ignore any security issues.

If you really do need to send the broadcast from one app to another, it is indeed true that registerReceiver() did not respect the setPackage restriction until ICS so you can not rely on it until then. There is no secret trick to do what you want, it's just that the platform doesn't have the facility for it.

That said... if you are to the point of specifying an explicit package name, why not just go all the way and use Intent.setComponent()?

Also keep in mind that even setPackage() or setComponent() are not automatically completely secure -- you are still making an assumption that you know who is implementing that package name, and it is entirely possible for a different app than what you expect to be installed through side-loading, even if you own the name in the Play Store.

Council answered 10/3, 2012 at 9:16 Comment(2)

yes in my case I can guarantee the apps are what I know they are. We're building a custom android device and side-loading is disabled. – Petropavlovsk 12/3, 2012 at 16:24

this LocalBroadcastManager is not deprecated please refer android doc – Menorrhagia 19/9, 2023 at 17:13

The docs say setPackage was introduced in API Level 4, but perhaps there was a framework change that makes it function different/better in ICS. What about creating your own Intent Filter that your receivers will recognize? The NotePad example near the bottom of this page shows an example: in the manifest, the NoteEditor example specifies

<action android:name="com.android.notepad.action.EDIT_NOTE" />

which is a custom action defined by the app.

Hbomb answered 21/2, 2012 at 0:58 Comment(1)

the problem w/ that is that any app can define an intent filter w/ the same action. whereas setPackage will actually limit it to the app package, which I can be certain there will not be any spoofing of (in my specific context) – Petropavlovsk 21/2, 2012 at 1:2

As broadcasts are handled by the system, I cannot imagine that there's any way to code in a workaround without touching the system's code (so the compatibility package won't help).

If you're really interested in keeping a broadcast secure, you can follow the Android docs suggestion for pre-Android 4.0 by using permissions:

To enforce a permission when sending, you supply a non-null permission argument to sendBroadcast(Intent, String) or sendOrderedBroadcast(Intent, String, BroadcastReceiver, android.os.Handler, int, String, Bundle). Only receivers who have been granted this permission (by requesting it with the tag in their AndroidManifest.xml) will be able to receive the broadcast.

Ataliah answered 21/2, 2012 at 1:46 Comment(1)

from what I can tell, there's no way to create a custom permission in the broadcaster that would be aware of the app that would be targeted by setPackage. I noticed that there is a way to request permissions, but I'm pretty sure that is an OS level thing, or is there a way you know of in which my app can respond to those requests and grant/deny access to my custom defined permission? – Petropavlovsk 21/2, 2012 at 9:47

Recommended topics

Hot tags