I have some receivers declared in my AndroidManifest :
在我的安卓系统清单中有一些接收器声明:
<!-- no warning -->
<receiver
android:name=".receivers.TriggerMonitoringBootReceiver"
android:enabled="false">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED" />
</intent-filter>
</receiver>
<!-- no warning -->
<receiver
android:name=".receivers.ScanResultsReceiver"
android:enabled="false">
<intent-filter>
<action android:name="android.net.wifi.SCAN_RESULTS" />
</intent-filter>
</receiver>
<!-- warning : Exported receiver does not require permission-->
<receiver
android:name=".receivers.BatteryMonitoringReceiver"
android:enabled="false">
<intent-filter>
<action android:name="@string/intent_action_setup_alarm" />
<action android:name="@string/intent_action_cancel_alarm" />
<action android:name="@string/intent_action_monitor" />
</intent-filter>
</receiver>
The first one is meant to receive a BOOT_COMPLETED action. The second is meant to receive android.net.wifi.SCAN_RESULTS. The third one is meant to receive some actions I broadcast (intent_action_monitor) and some actions broadcasted by the AlarmManager (intent_action_setup_alarm etc).
第一个目标是接收一个BOOT_COMPLETED操作。第二个是接收android.net.wifi.SCAN_RESULTS。第三个是接收我广播的一些动作(intent_action_monitor)和AlarmManager广播的一些动作(intent_action_setup_alarm等)。
Two questions:
两个问题:
- Why don't I get the warning on all receivers?
- 为什么不让我收到所有接收器的警告?
- What permissions do I need to set for receivers meant to receive from system services to correct the warning (I understand what it is about and I don't want anyone to use my receivers anyway) ? Will
exported="false"do for boot receivers, wifi receivers, alarm receivers etc?
I thought of using a custom permission withandroid:protectionLevel="signatureOrSystem"but the docs advise against both this protection level and custom permissions. So how I should handle this warning ? - 我需要为从系统服务接收的接收方设置什么权限来纠正警告(我理解它的含义,我不希望任何人使用我的接收方)?导出=“false”是否适用于引导接收器、wifi接收器、报警接收器等?我想在android中使用自定义权限:protectionLevel=“签名或系统”,但是文档中建议不使用这种保护级别和自定义权限。那么我该如何处理这个警告呢?
Links to the docs and/or some code will be much appreciated.
链接到文档和/或一些代码将非常受欢迎。
4 个解决方案
#1
56
Why don't I get the warning on all receivers ?
为什么不让我收到所有接收器的警告?
Because the first two are clearly designed to be broadcast by Android. The last one is unknown, partly because you did not supply the string resource values, and possibly because they are your own unique action strings.
因为前两个显然是由Android广播设计的。最后一个是未知的,部分原因是您没有提供字符串资源值,可能是因为它们是您自己的惟一操作字符串。
What permissions do I need to set for receivers meant to receive from system services to correct the warning
我需要为从系统服务接收的接收者设置什么权限来纠正警告
The correct solution is to delete the <intent-filter>. If you are broadcasting these Intents, or if you are wrapping an Intent in a getBroadcast() PendingIntent, you do not need action strings. Use the Intent constructor that takes the Java class object as the second parameter, and use that:
正确的解决方案是删除
new Intent(this, BatteryMonitoringReceiver.class)
You are welcome to still attach an action string to that Intent, if you want, but you can dump the <intent-filter> (routing will be based on the supplied component, in this case the Java class).
如果您愿意,欢迎您仍然将操作字符串附加到该意图上,但是您可以转储< Intent -filter>(路由将基于提供的组件,在本例中是Java类)。
Only use an <intent-filter> when you are expecting the OS or third-party apps to initiate the Intent themselves (executing a PendingIntent that you created does not count).
当您希望操作系统或第三方应用程序自行启动意图时,请仅使用< Intent -filter>(执行您创建的PendingIntent不算数)。
#2
20
If you do want to export your receiver to other processes, you can add your own permission definition in your android-manifest file for avoiding this warning, like
如果您确实想将您的接收器导出到其他进程,您可以在android-manifest文件中添加您自己的权限定义,以避免类似的警告
<permission
android:name="com.yourpage.permission.YOUR_PERMISSION"
android:protectionLevel="normal" />
<uses-permission
android:name="com.yourpage.permission.YOUR_PERMISSION" />
<receiver <!-- warning : Exported receiver does not require permission-->
android:name=".receivers.BatteryMonitoringReceiver"
android:permission="com.yourpage.permission.YOUR_PERMISSION"
android:enabled="false" >
<intent-filter>
<action android:name="@string/intent_action_setup_alarm" />
<action android:name="@string/intent_action_cancel_alarm" />
<action android:name="@string/intent_action_monitor" />
</intent-filter>
</receiver>
for more information, you can refer to http://developer.android.com/training/articles/security-tips.html
要了解更多信息,可以参考http://developer.android.com/training/articles/securitytips.html
#3
18
The warning "Exported receiver does not require permission" means, You have an intent-filter with some action (which means by default you have android:exported="true" set and it can now receive broadcasts from ANY broadcasters outside of your application) Since it can receive broadcasts from ANY broadcasters outside of your application, it warns you by saying "Hey, are you sure ANY broadcaster can invoke you? In my opinion, it is better if you allow only those broadcasters to invoke you that has the permission you have set for this receiver through android:permission"
警告“接收器不需要出口许可”的意思是,你有一个意图过滤器和一些行动(这意味着默认你有android:出口= " true "集和它现在可以得到广播电视台以外的应用程序),因为它可以从任何广播接收广播以外的应用程序,它警告你说“嘿,你确定任何广播可以调用吗?在我看来,如果你只允许那些拥有你通过android设置的接收权限的广播公司调用你会更好
You can remove this warning by adding android:exported="false" to the receiver tag
您可以通过将android: exports =“false”添加到receiver标签来删除该警告
#4
3
If, like me, you are here because your app built with a previous SDK version stopped working with more recent versions and you would like to fix it with minimal change, just add
如果你像我一样,因为你用以前的SDK版本构建的应用程序停止了最新版本的工作,你希望用最小的修改来修复它,那就添加吧
android:exported=false
android:出口= false
to the receiver tag in the manifest file. The solution by CommonsWare is obviously the one to go with for the long term but this fixes the issue temporarily if you are using custom intents and don't mean to export them.
到清单文件中的接收标记。CommonsWare的解决方案显然是长期使用的解决方案,但如果您使用自定义意图,而不是打算导出它们,那么这将暂时解决问题。
Going by Lubo's way, you would need to export this custom permission, which would prompt the user before installation. That means the descriptive text for the permission needs to be well written so you don't end up scaring the user into changing his mind about installing the app. Also, it would need to be translated into all your target languages.
通过Lubo的方式,您需要导出这个自定义权限,这将在安装之前提示用户。这意味着许可的描述性文本需要写得很好,这样你就不会吓到用户在安装应用程序时改变主意了。而且,它还需要被翻译成所有的目标语言。
#1
56
Why don't I get the warning on all receivers ?
为什么不让我收到所有接收器的警告?
Because the first two are clearly designed to be broadcast by Android. The last one is unknown, partly because you did not supply the string resource values, and possibly because they are your own unique action strings.
因为前两个显然是由Android广播设计的。最后一个是未知的,部分原因是您没有提供字符串资源值,可能是因为它们是您自己的惟一操作字符串。
What permissions do I need to set for receivers meant to receive from system services to correct the warning
我需要为从系统服务接收的接收者设置什么权限来纠正警告
The correct solution is to delete the <intent-filter>. If you are broadcasting these Intents, or if you are wrapping an Intent in a getBroadcast() PendingIntent, you do not need action strings. Use the Intent constructor that takes the Java class object as the second parameter, and use that:
正确的解决方案是删除
new Intent(this, BatteryMonitoringReceiver.class)
You are welcome to still attach an action string to that Intent, if you want, but you can dump the <intent-filter> (routing will be based on the supplied component, in this case the Java class).
如果您愿意,欢迎您仍然将操作字符串附加到该意图上,但是您可以转储< Intent -filter>(路由将基于提供的组件,在本例中是Java类)。
Only use an <intent-filter> when you are expecting the OS or third-party apps to initiate the Intent themselves (executing a PendingIntent that you created does not count).
当您希望操作系统或第三方应用程序自行启动意图时,请仅使用< Intent -filter>(执行您创建的PendingIntent不算数)。
#2
20
If you do want to export your receiver to other processes, you can add your own permission definition in your android-manifest file for avoiding this warning, like
如果您确实想将您的接收器导出到其他进程,您可以在android-manifest文件中添加您自己的权限定义,以避免类似的警告
<permission
android:name="com.yourpage.permission.YOUR_PERMISSION"
android:protectionLevel="normal" />
<uses-permission
android:name="com.yourpage.permission.YOUR_PERMISSION" />
<receiver <!-- warning : Exported receiver does not require permission-->
android:name=".receivers.BatteryMonitoringReceiver"
android:permission="com.yourpage.permission.YOUR_PERMISSION"
android:enabled="false" >
<intent-filter>
<action android:name="@string/intent_action_setup_alarm" />
<action android:name="@string/intent_action_cancel_alarm" />
<action android:name="@string/intent_action_monitor" />
</intent-filter>
</receiver>
for more information, you can refer to http://developer.android.com/training/articles/security-tips.html
要了解更多信息,可以参考http://developer.android.com/training/articles/securitytips.html
#3
18
The warning "Exported receiver does not require permission" means, You have an intent-filter with some action (which means by default you have android:exported="true" set and it can now receive broadcasts from ANY broadcasters outside of your application) Since it can receive broadcasts from ANY broadcasters outside of your application, it warns you by saying "Hey, are you sure ANY broadcaster can invoke you? In my opinion, it is better if you allow only those broadcasters to invoke you that has the permission you have set for this receiver through android:permission"
警告“接收器不需要出口许可”的意思是,你有一个意图过滤器和一些行动(这意味着默认你有android:出口= " true "集和它现在可以得到广播电视台以外的应用程序),因为它可以从任何广播接收广播以外的应用程序,它警告你说“嘿,你确定任何广播可以调用吗?在我看来,如果你只允许那些拥有你通过android设置的接收权限的广播公司调用你会更好
You can remove this warning by adding android:exported="false" to the receiver tag
您可以通过将android: exports =“false”添加到receiver标签来删除该警告
#4
3
If, like me, you are here because your app built with a previous SDK version stopped working with more recent versions and you would like to fix it with minimal change, just add
如果你像我一样,因为你用以前的SDK版本构建的应用程序停止了最新版本的工作,你希望用最小的修改来修复它,那就添加吧
android:exported=false
android:出口= false
to the receiver tag in the manifest file. The solution by CommonsWare is obviously the one to go with for the long term but this fixes the issue temporarily if you are using custom intents and don't mean to export them.
到清单文件中的接收标记。CommonsWare的解决方案显然是长期使用的解决方案,但如果您使用自定义意图,而不是打算导出它们,那么这将暂时解决问题。
Going by Lubo's way, you would need to export this custom permission, which would prompt the user before installation. That means the descriptive text for the permission needs to be well written so you don't end up scaring the user into changing his mind about installing the app. Also, it would need to be translated into all your target languages.
通过Lubo的方式,您需要导出这个自定义权限,这将在安装之前提示用户。这意味着许可的描述性文本需要写得很好,这样你就不会吓到用户在安装应用程序时改变主意了。而且,它还需要被翻译成所有的目标语言。