如何修复未受保护的 SMS BroadcastReceiver lint 警告
How to fix Unprotected SMS BroadcastReceiver lint warning
我的应用程序需要能够接收短信。一切正常,但我收到此 lint 警告:
BroadcastReceivers that declare an intent-filter for SMS_DELIVER or
SMS_RECEIVED must ensure that the caller has the BROADCAST_SMS
permission, otherwise it is possible for malicious actors to spoof
intents.
我如何"ensure that the caller has the BROADCAST_SMS permission"?
在我的清单中我有:
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<application ...>
<receiver
android:name=".SmsReceiver"
android:enabled="true"
android:exported="true">
<intent-filter android:priority="1000">
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
</intent-filter>
</receiver>
</application>
我的代码:
public class SmsReceiver extends BroadcastReceiver {
public SmsReceiver() {}
@Override
public void onReceive(final Context context, final Intent intent) {
final Bundle bundle = intent.getExtras();
if (bundle != null) {
final Object[] pdusObj = (Object[]) bundle.get("pdus");
for (int i = 0; i < pdusObj.length; i++) {
final SmsMessage currentMessage = SmsMessage.createFromPdu((byte[]) pdusObj[i]);
// use currentMessage
}
}
}
}
将 android:permission="android.permission.BROADCAST_SMS" 添加到起始 <receiver> 标签。例如:
<receiver
android:name=".SmsReceiver"
android:exported="true"
android:permission="android.permission.BROADCAST_SMS">
<receiver> 上的这个 android:permission 属性指定广播的 发送者 必须持有哪个权限才能广播到您的<receiver>。这是一种安全措施;在这种情况下,您可以相对确定是系统发送了 SMS_RECEIVED 广播。它不是严格要求的,但如果它不存在,lint 显然会抱怨。
我的应用程序需要能够接收短信。一切正常,但我收到此 lint 警告:
BroadcastReceivers that declare an intent-filter for SMS_DELIVER or SMS_RECEIVED must ensure that the caller has the BROADCAST_SMS permission, otherwise it is possible for malicious actors to spoof intents.
我如何"ensure that the caller has the BROADCAST_SMS permission"?
在我的清单中我有:
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<application ...>
<receiver
android:name=".SmsReceiver"
android:enabled="true"
android:exported="true">
<intent-filter android:priority="1000">
<action android:name="android.provider.Telephony.SMS_RECEIVED" />
</intent-filter>
</receiver>
</application>
我的代码:
public class SmsReceiver extends BroadcastReceiver {
public SmsReceiver() {}
@Override
public void onReceive(final Context context, final Intent intent) {
final Bundle bundle = intent.getExtras();
if (bundle != null) {
final Object[] pdusObj = (Object[]) bundle.get("pdus");
for (int i = 0; i < pdusObj.length; i++) {
final SmsMessage currentMessage = SmsMessage.createFromPdu((byte[]) pdusObj[i]);
// use currentMessage
}
}
}
}
将 android:permission="android.permission.BROADCAST_SMS" 添加到起始 <receiver> 标签。例如:
<receiver
android:name=".SmsReceiver"
android:exported="true"
android:permission="android.permission.BROADCAST_SMS">
<receiver> 上的这个 android:permission 属性指定广播的 发送者 必须持有哪个权限才能广播到您的<receiver>。这是一种安全措施;在这种情况下,您可以相对确定是系统发送了 SMS_RECEIVED 广播。它不是严格要求的,但如果它不存在,lint 显然会抱怨。