Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NetworkUtils安全检测到动态注册广播风险 #1794

Open
SiberiaDante opened this issue Jan 8, 2024 · 2 comments
Open

NetworkUtils安全检测到动态注册广播风险 #1794

SiberiaDante opened this issue Jan 8, 2024 · 2 comments
Assignees
@Blankj
Labels
bug

Comments

@SiberiaDante
Copy link

描述 Bug

简洁地描述下 Bug。

  • AndroidUtilCode 的版本:com.blankj:utilcodex:1.31.1
    NetworkUtils安全检测到动态注册广播风险,如果在动态注册时采用的全局方式进行注册,则这个receiver在生命周期中默认是可导出的,如果没有设置访问权限,系统应用或者第三方应用可以操作此receiver,导致敏感信息泄露,可能受到权限绕过、拒绝服务等攻击。

相关代码

文件: com.blankj.utilcode.util.NetworkUtils$NetworkChangedReceiver$1.java 方法: public void run() 代码: v1.registerReceiver(v2, v0);

建议修复

1.使用 LocalBroadcastManager 来替代registerReceiver注册,保证数据传递仅限于应用内。
2.使用registerReceiver(BroadcastReceiver, IntentFilter,
broadcastPermission,android.os.Handle)替代registerReceiver(BroadcastReceiver, IntentFilter),检验权限。
3.在 AndroidManifest.xml 文件中静态注册BroadcastReceiver,同时设置 exported="false"。
@WeiLianYang
Copy link

动态注册广播,根据 谷歌官方的解释是有例外情况的,动态注册系统广播 不需要指定 导出标识。另外 在7.0及以上,即使在清单文件中静态注册了,也收不到这个广播。动态注册例外参见:https://developer.android.com/about/versions/14/behavior-changes-14?hl=zh-cn#system-broadcasts

@WeiLianYang
Copy link

系统广播在这个android sdk 目录下 broadcast_actions.txt 文件里面能找到
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Blankj Blankj

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@SiberiaDante @Blankj @WeiLianYang