Android Context Registered Broadcast Receivers Not Protected with Permissions #47
Description
A static analysis security tool we use it's complaining about this SDK not protecting broadcast receivers properly.
OS: Android
mparticle flutter SDK Version: 1.0.4
The suggestion is to protect the broadcast receivers as described here:
Restricting broadcasts with permissions https://developer.android.com/guide/components/broadcasts.html#restrict-broadcasts-permissions
Android 13 - Safer exporting of context-registered receivers https://developer.android.com/about/versions/13/features#runtime-receivers
Android 14 - Runtime-registered broadcasts receivers must specify export behavior https://developer.android.com/about/versions/14/behavior-changes-14#runtime-receivers-exported
Evidence
com.mparticle.internal.j - e()
{
"class": "com.mparticle.internal.j",
"method": "e()",
"locations": [
{
"location_id": "s1985212c-600a-46be-90f0-95110958f8e4"
}
],
"_raw": {
"api": "Landroid/content/Context;,registerReceiver,(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)Landroid/content/Intent;",
"line": -1,
"method": "Lcom/mparticle/internal/j;,e,()V",
"source_file": "com/mparticle/internal/SourceFile"
}
}[
{
"id": "s1985212c-600a-46be-90f0-95110958f8e4",
"data": {
"type": "backtrace",
"entries": [
{
"type": "java",
"context": {
"flags": [],
"signature": "Lcom/mparticle/internal/j;,e,()V",
"class_name": "com.mparticle.internal.j",
"method_name": "e"
}
},
{
"type": "java",
"context": {
"flags": [],
"source": {
"line": -1,
"name": "com/mparticle/internal/SourceFile"
},
"signature": "Landroid/content/Context;,registerReceiver,(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)Landroid/content/Intent;",
"class_name": "android.content.Context",
"method_name": "registerReceiver"
}
}
]
}
}
]