关于BroadCastReceiver安全性的思考 - 上善若水 - 博客频道 - CSDN.NET
BroadCastReceiver是Android 四大组件之一,应用非常广泛,也非常简单,但是我们平时在使用的过程中忽略了一个安全问题。别人很容易通过反编译获取到我们应用中的广播,然后频繁的向你的App中发送广播,这个当然是我们不想看到的现象,那么如何避免应用中注册的广播响应其他应用发送的广播呢?在解决这个问题之前,我们先来了解一下如何发送一个广播。
在Android中发送一个广播通常有两种方式:显示和隐式
显式:
- Intent intent=new Intent(this,MyBroadCastReceiver.class);
- this.sendBroadcast(intent);
Intent intent=new Intent(this,MyBroadCastReceiver.class); this.sendBroadcast(intent);
所谓显示,就是通过制定你要发送的哪个广播,如上例中的MyBroadCastReceiver这个广播隐式:
- Intent intent=new Intent("com.demo.action");
- this.sendBroadcast(intent);
Intent intent=new Intent("com.demo.action"); this.sendBroadcast(intent);
所谓隐式就是通过action来匹配广播,对于匹配成功的广播就会响应
对于显示的广播除非是别人故意攻击,一般很少出现响应别人的广播,但是对于隐式的广播就很容易出现上述问题,因为action很容易是一样的,一旦是一样的就出问题了。
下面就来提出解决方案:
第一种方案:
在自己的应用中,在manifest.xml中注册receiver的时候加入export属性,如下:
- <receiver android:name="com.baroad.demo.MyBroadCastReceiver" android:exported="false">
- <intent-filter >
- <action android:name="com.demo.action"/>
- </intent-filter>
- </receiver>
<receiver android:name="com.baroad.demo.MyBroadCastReceiver" android:exported="false"> <intent-filter > <action android:name="com.demo.action"/> </intent-filter> </receiver>
加入这个属性之后,这个广播不会响应外部广播的
第二种方案:
自定义权限,在manifest.xml中加入自定义权限,然后再响应的BroadCastReceiver中加入这个权限即可
- <permission
- android:name="com.yzy.permission.STARTBROAD"
- android:protectionLevel="normal">
<permission android:name="com.yzy.permission.STARTBROAD" android:protectionLevel="normal">
然后将上面的权限注册到BroadCastReceiver
- <receiver android:name="com.baroad.demo.MyBroadCastReceiver" android:permission="com.yzy.permission.STARTBROAD">
- <intent-filter >
- <action android:name="com.demo.action"/>
- </intent-filter>
- </receiver>
<receiver android:name="com.baroad.demo.MyBroadCastReceiver" android:permission="com.yzy.permission.STARTBROAD"> <intent-filter > <action android:name="com.demo.action"/> </intent-filter> </receiver>
第三种方案:前面两种方案都是在接收广播的地方设置,第三种是在发送方便的地方设置,设置你的广播对哪个报名有效
- Intent intent=new Intent("com.demo.action");
- intent.setPackage("com.two.demo");
- this.sendBroadcast(intent);
Intent intent=new Intent("com.demo.action"); intent.setPackage("com.two.demo"); this.sendBroadcast(intent);
第四种方案:使用LocalBroadcastManager来实现广播
- private LocalBroadcastManager mLocalBroadcastManager;
- private BroadcastReceiver mReceiver;
private LocalBroadcastManager mLocalBroadcastManager; private BroadcastReceiver mReceiver;
- @Override
- protected void onCreate(Bundle savedInstanceState)
- {
- super.onCreate(savedInstanceState);
- setContentView(R.layout.activity_main);
- IntentFilter filter = new IntentFilter();
- filter.addAction("com.demo.action");
- mReceiver = new MyBroadCastReceiver();
- mLocalBroadcastManager = LocalBroadcastManager.getInstance(this);
- mLocalBroadcastManager.registerReceiver(mReceiver, filter);
- }
@Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); IntentFilter filter = new IntentFilter(); filter.addAction("com.demo.action"); mReceiver = new MyBroadCastReceiver(); mLocalBroadcastManager = LocalBroadcastManager.getInstance(this); mLocalBroadcastManager.registerReceiver(mReceiver, filter); }
- public void start(View view)
- {
- mLocalBroadcastManager.sendBroadcast(new Intent("com.demo.action"));
- }
public void start(View view) { mLocalBroadcastManager.sendBroadcast(new Intent("com.demo.action")); }
- @Override
- protected void onDestroy() {
- mLocalBroadcastManager.unregisterReceiver(mReceiver);
- super.onDestroy();
- }
@Override protected void onDestroy() { mLocalBroadcastManager.unregisterReceiver(mReceiver); super.onDestroy(); }
好了,就介绍到这里吧,通过以上四种方案,就可以避免自己的应用程序响应其他应用的广播
