I was looking at the documentation for PendingIntent.getBroadcast(Context, int, Intent, int) and it mentions that...
For security reasons, the Intent you supply here should almost always be an explicit intent, that is specify an explicit component to be delivered to through Intent.setClass
What exactly are the security reasons? What makes explicit Intents more secure if other applications can still create one using only your package name and the component's name?
I've seen the report at NIST.gov about a PendingIntent-based security vulnerability that affected all of Android 4.x, where a malicious app could send Intents as the SYSTEM user. However, I'm not sure if the same concerns apply to my app.
If an Intent is handled by a BroadcastReceiver and the Intent isn't used to pass data (as extras, for example,) is there still a risk?
My guess is that what they really meant was:
For security reasons, the Intent you supply here should almost always be an explicit Intent pointing to a non-exported component, that is specify an explicit component to be delivered to through Intent.setClass
Your concern about "other applications can still create one using only your package name and the component's name" is only valid if the component is exported. For a BroadcastReceiver, it will be exported by default only if it has an <intent-filter> (or IntentFilter, if registering via registerReceiver()).
If an Intent is handled by a BroadcastReceiver and the Intent isn't used to pass data (as extras, for example,) is there still a risk?
Off the cuff, there are two risks with using implicit Intents:
On the sending side, anyone can respond to your broadcast. While you might think that the mere existence of the broadcast is not a privacy/security leak — and in your specific case, it might not be a leak — that is not universally true.
On the receiving side, if your component is exported (the default if it can handle an implicit Intent), other parties could send you fake broadcasts, perhaps tricking you into doing something unfortunate.
Related
I'm coming up to speed on Android development and the distinction between an implicit intent and a broadcast receiver is unclear. I was hoping for help in distinguishing these concepts and when to use the two.
Both receive intents, both react to system messages, so why is a broadcast receiver even needed and when is it used as opposed to an implicit intent and intent filter to accept the implicit intent?
Broadcasts are just that -- messages broadcast to anyone listening. They are inherently insecure, and delivery to the intended recipient isn't guaranteed, because there really isn't an intended recipient. For example, the CONNECTIVITY_CHANGE broadcast makes this quite clear: When connectivity changes in an Android device, many apps might be interested. Rather than the ConnectivityManager having to notify each app via specific Intent, it sends a broadcast. Any app that has registered interest in this event will be notified. Any app that isn't running or doesn't care... won't.
An Intent is "sent" when one app or Activity wants to launch another to do something very specific. For example, a file-manager might want to launch an image viewer or video player. Your app might want to launch a very specific Activity within another one of your apps, etc. The communication by specific intents (i.e. including package name and component name) can not easily be intercepted, so it's somewhat more secure. Most importantly, there's only and exactly one "receiver" -- if none can be found, the Intent will fail.
Further, a BroacastReceiver will be active within an Activity or Service and received broadcasts will generally only change state and/or do minor UI updates... for example, you might disable a few actions if your internet connectivity is dropped. By comparison, a specific Intent will usually launch a new Activity or bring an existing one to the foreground.
I am going to compile a list here of all the differences between Implicit Intents (sent via startActivity()) and Broadcasts (sent via sendBroadcast())
Broadcasts, by default, can affect multiple applications at once (Ordered Broadcasts have the potential to be disrupted). In contrast, Implicit Intents will only affect one application. Please note that there may be multiple possibilities of applications that could be affected, but eventually only one will be.
Implicit Intents are handled via Intent-Filters, and Broadcasts are handled via Broadcast Receivers (albeit the intent-filters play a role here too). I have seen in many instances over the web that Broadcasts are compared to Intent-filters and that does not make sense to me.
An Implicit Intent launches an Activity, or a Service. By contrast, a Broadcast launches a Broadcast Receiver. (This, if you think about it, is the core difference between Intents and Broadcasts. It is because of this reason that Broadcasts aren't meant to do too much heavy work, and especially not UI work!)
From the Developers Website:
There is no way for a BroadcastReceiver to see or capture Intents used
with startActivity(); likewise, when you broadcast an Intent, you will
never find or start an Activity. These two operations are semantically
very different: starting an Activity with an Intent is a foreground
operation that modifies what the user is currently interacting with;
broadcasting an Intent is a background operation that the user is not
normally aware of.
I'll add more if I find anything else.
I'm trying to better understand the topic of intents.
An explicit intent is configured with a component's name. In every example I've seen, it's used to start or stop the component. Is this the only purpose of an explicit intent?
An implicit intent doesn't have a target component. Implicit intents can also start/stop a component, but they can also be received by BroadcastReceivers. Is there another way to receive an implicit intent?
When the OS sends the intent with the action set to Action.MAIN, that's an explicit intent, right?
Thanks.
From the android documentation:
Explicit intents specify the component to start by name (the
fully-qualified class name). You'll typically use an explicit intent
to start a component in your own app, because you know the class name
of the activity or service you want to start. For example, start a new
activity in response to a user action or start a service to download a
file in the background.
Implicit intents do not name a specific component, but instead declare
a general action to perform, which allows a component from another app
to handle it. For example, if you want to show the user a location on
a map, you can use an implicit intent to request that another capable
app show a specified location on a map.
Explicit intents, as you've said, are used to start an activity in your application -- or to transition from one "screen" to another. An explicit intent would be something like Intent intent = new Intent(currentContext, ActivityB.class); These types of intents are used when you are within your application and explicitly know which component you want to start depending on how the user interacts with your activity.
Implicit Intents don't directly specify the Android components which should be called, but rather just specify a general action to be performed. These are generally used when you would like some external application to do something for you. An example of an implicit intent used to send an email using an external application would be:
Intent i = new Intent(Intent.ACTION_SEND);
i.setType("message/rfc822");
i.putExtra(Intent.EXTRA_EMAIL , new String[]{"someemail#gmail.com"});
i.putExtra(Intent.EXTRA_SUBJECT, "subject");
i.putExtra(Intent.EXTRA_TEXT , "body");
This intent would query for applications installed on the device that can handle sending an email, but there could be quite a few applications that can do this -- for example, if we have a gmail application, hotmail application, etc. So, basically you're just specifying a general action and asking the system "who can handle this", and the system will handle the rest. These types of intents are used by application developers so they don't have to "reinvent the wheel" if there is already something on the device that can do what the developer wants.
Here's a couple of references that might help explain it better:
http://developer.android.com/guide/components/intents-filters.html
http://www.vogella.com/articles/AndroidIntent/article.html
Is this the only purpose of an explicit intent?
An Intent generally is used to:
start an activity
start or stop a service
send a broadcast
An explicit Intent can be used for any of these.
Implicit intents can also start/stop a component, but they can also be received by BroadcastReceivers.
Whether an Intent is implicit or explicit is independent of what sort of role the Intent is used for.
Is there another way to receive an implicit intent?
An implicit Intent serves the roles listed above. You do not normally see it used for starting and stopping a service, though.
When the OS sends the intent with the action set to Action.MAIN, that's an explicit intent, right?
Not necessarily. If by "the OS" you mean "the home screen", and by "sends the intent with the action set to Action.MAIN", you mean "starts an activity based upon the user tapping on an icon in the launcher", then that is an explicit Intent, to identify the particular activity to start. An explicit Intent can have an action string, so it is not ACTION_MAIN that makes the Intent explicit.
Intent is an object which is used for communication between anyone of the android component(Activity, Services, BroadcastReceiver, ContentProvider) and Operating System.
Intent Class provides various constructors depending on what we intend to do.
In a case, Intent sends request to ActivityManager which activity to start. ActivityManager is a part of OS.
Now question will come that why do we require ActivityManager which is outside our application to communicate between two activities inside application. Here comes concept of Implicit and Explicit Intent.
Explicit Intent : To communication between components(Activity) within one application we use explicit intent.
Eg. Send current date from one activity to another.
Implicit Intent : To communicate between activities of different applications.
Eg. One application requesting photos from gallery application.
In case of Implicit Intent ActivityManager makes things easier.
As its name suggest Intent --> It's an "intention" to do an action.
It is a way of sending a message to perform an action which can be listen by other app or O.S.
In Explicit intent you know which work to perform by which person or class.
In Implicit intent you just ask a work to do ... all the apps capable of doing the activity like sharing a message will be shown in a list and you can do your work from any one of them.
Since an application can define same intent filter for different components of the application, it's very likely that intent would match multiple component for the same application. What will happened if it is the case? Will there be any error?
What will happened if it is the case?
Assuming that you are referring to startActivity(), then I would expect all matching activities from your app to appear in the chooser, along with any other activities on the device that match.
Will there be any error?
Probably not. Note, however, that what you are describing is very unusual. Usually, an application only needs one activity to respond to any given Intent structure.
The most suitable intent filter will catch the intent. From the doc:
A different strategy is needed for implicit intents. In the absence of a designated target, the Android system must find the best component (or components) to handle the intent — a single activity or service to perform the requested action or the set of broadcast receivers to respond to the broadcast announcement. It does so by comparing the contents of the Intent object to intent filters, structures associated with components that can potentially receive intents. Filters advertise the capabilities of a component and delimit the intents it can handle. They open the component to the possibility of receiving implicit intents of the advertised type. If a component does not have any intent filters, it can receive only explicit intents. A component with filters can receive both explicit and implicit intents.
...
A filter has fields that parallel the action, data, and category fields of an Intent object. An implicit intent is tested against the filter in all three areas. To be delivered to the component that owns the filter, it must pass all three tests. If it fails even one of them, the Android system won't deliver it to the component — at least not on the basis of that filter. However, since a component can have multiple intent filters, an intent that does not pass through one of a component's filters might make it through on another.
In short: there will be no error. The system tries to find the best match for the intent, which may occasionally involve the user (think about when you install a new browser).
I want to use sendBroadcast to broadcast an intent that can only be received by that application that originated it.
The use case is for an authentication module I'm planning to use between several projects I've built. Currently when a 401 (authorization failed) response code is received it broadcasts an intent that can then be wired in the manifest to bring the user back to the login page.
So just to be clear I'm wondering if I can do this:
Intent i = new Intent("my.custom.logout.broadcast.path.that.will.be.the.same.in.multiple.apps");
sendBroadcast(i);
And somehow the intent doesn't get picked up by other apps that use exactly the same un-modified code base.
Not part of the question, but you should be using permissions for restricting who can send/receive the Broadcasts, especially since you're dealing with authentication. In fact, I would highly recommend looking into the AccountManager (in API demos)
Moving on.. one solution is to pass the originating application's package name or a particular permission string in an Intent extra, and when you respond, use that package name or permission in the response, the same way. Unfortunately you can't target a specific package in a Broadcast Intent.
Yet another solution, is using PendingIntent.getActivity() from the originating application, stuff that PendingIntent into the new for-broadcast Intent as an extra (Intent#putExtra()) and broadcast it using the permissions model above (so sender and receiver can handle permissions properly). When the broadcast receiver has finished doing its thing, it can use the PendingIntent to start the target activity (including the ability to attach additional extras)
For this you can use the LocalBroadcastManager, which is specifically designed for in-app communication.
What is an Intent in Android?
Can someone elaborate with an example?
What are the types of Intents, and why we are using them?
Why are Intents so important in Android?
An Intent is an "intention" to perform an action; in other words,
a messaging object you can use to request an action from another app component
An Intent is basically a message to say you did or want something to happen. Depending on the intent, apps or the OS might be listening for it and will react accordingly. Think of it as a blast email to a bunch of friends, in which you tell your friend John to do something, or to friends who can do X ("intent filters"), to do X. The other folks will ignore the email, but John (or friends who can do X) will react to it.
To listen for an broadcast intent (like the phone ringing, or an SMS is received), you implement a broadcast receiver, which will be passed the intent. To declare that you can handle another's app intent like "take picture", you declare an intent filter in your app's manifest file.
If you want to fire off an intent to do something, like pop up the dialer, you fire off an intent saying you will.
What is an Intent ?
An Intent is basically a message that is passed between components (such as Activities, Services, Broadcast Receivers, and Content Providers). So, it is almost equivalent to parameters passed to API calls. The fundamental differences between API calls and invoking components via intents are:
API calls are synchronous while intent-based invocations are
asynchronous.
API calls are compile-time binding while intent-based calls are
run-time binding.
Of course, Intents can be made to work exactly like API calls by using what are called explicit intents, which will be explained later. But more often than not, implicit intents are the way to go and that is what is explained here.
One component that wants to invoke another has to only express its intent to do a job. And any other component that exists and has claimed that it can do such a job through intent-filters, is invoked by the Android platform to accomplish the job. This means, neither components are aware of each other's existence but can still work together to give the desired result for the end-user.
This invisible connection between components is achieved through the combination of intents, intent-filters and the Android platform.
This leads to huge possibilities like:
Mix and match or rather plug and play of components at runtime.
Replacing the inbuilt Android applications with custom developed
applications.
Component level reuse within and across applications.
Service orientation to the most granular level, if I may say.
Here are additional technical details about Intents from the Android documentation.
An intent is an abstract description of an operation to be performed. It can be used with startActivity to launch an Activity, broadcastIntent to send it to any interested BroadcastReceiver components, and startService(Intent) or bindService(Intent, ServiceConnection, int) to communicate with a Background Service.
An Intent provides a facility for performing late runtime binding between the code in different applications. Its most significant use is in the launching of activities, where it can be thought of as the glue between activities. It is basically a passive data structure holding an abstract description of an action to be performed. The primary pieces of information in an intent are:
action
The general action to be performed, such as ACTION_VIEW,
ACTION_EDIT, ACTION_MAIN, etc.
data
The data to operate on, such as a person record in the contacts
database, expressed as a Uri.
Learn more
Lars Vogel's tutorial
ProgrammerGuru article
Common intents
Intents are a way of telling Android what you want to do.
In other words, you describe your intention. Intents can be used to signal to the Android system that a certain event has occurred. Other components in Android can register to this event via an intent filter.
Following are 2 types of intents
1.Explicit Intents
used to call a specific component. When you know which component you want to launch and you do not want to give the user free control over which component to use. For example, you have an application that has 2 activities. Activity A and activity B. You want to launch activity B from activity A. In this case you define an explicit intent targeting activityB and then use it to directly call it.
2.Implicit Intents
used when you have an idea of what you want to do, but you do not know which component should be launched. Or if you want to give the user an option to choose between a list of components to use. If these Intents are send to the Android system it searches for all components which are registered for the specific action and the data type. If only one component is found, Android starts the component directly. For example, you have an application that uses the camera to take photos. One of the features of your application is that you give the user the possibility to send the photos he has taken. You do not know what kind of application the user has that can send photos, and you also want to give the user an option to choose which external application to use if he has more than one. In this case you would not use an explicit intent. Instead you should use an implicit intent that has its action set to ACTION_SEND and its data extra set to the URI of the photo.
An explicit intent is always delivered to its target, no matter what it contains; the filter is not consulted. But an implicit intent is delivered to a component only if it can pass through one of the component's filters
Intent Filters
If an Intents is send to the Android system, it will determine suitable applications for this Intents. If several components have been registered for this type of Intents, Android offers the user the choice to open one of them.
This determination is based on IntentFilters. An IntentFilters specifies the types of Intent that an activity, service, orBroadcast Receiver can respond to. An Intent Filter declares the capabilities of a component. It specifies what anactivity or service can do and what types of broadcasts a Receiver can handle. It allows the corresponding component to receive Intents of the declared type. IntentFilters are typically defined via the AndroidManifest.xml file. For BroadcastReceiver it is also possible to define them in coding. An IntentFilters is defined by its category, action and data filters. It can also contain additional metadata.
If a component does not define an Intent filter, it can only be called by explicit Intents.
Following are 2 ways to define a filter
1.Manifest file
If you define the intent filter in the manifest, your application does not have to be running to react to the intents defined in it’s filter. Android registers the filter when your application gets installed.
2.BroadCast Receiver
If you want your broadcast receiver to receive the intent only when your application is running. Then you should define your intent filter during run time (programatically). Keep in mind that this works for broadcast receivers only.
After writing a single activity, there comes a need to transition to another activity to perform another task either with or without information from the first activity.
Android platform allows transition by means of Intent Interface.
Words are taken from here: Using Intent Demo and i suggest you to go through this example because they also have provided a code file as well. so you can use it and easily understand the same.
Android Intent
Android Intent lets you navigate from one android activity to another. With examples, this tutorial also talks about various types of Android intents.
Android Intent can be defined as a simple message objects which is used to communicate from 1 activity to another.
Intents define intention of an Application . They are also used to transfer data between activities.
An Android Intent can be used to perform following 3 tasks :
Open another Activity or Service from the current Activity
Pass data between Activities and Services
Delegate responsibility to another application. For example, you can
use Intents to open the browser application to display a URL.
Intent can be broadly classified into 2 categories. There are no keywords for this category and just a broad classification of how android intents are used.
Explicit Android Intent
Explicit Android Intent is the Intent in which you explicitly define the component that needs to be called by Android System.
Intent MoveToNext = new Intent (getApplicationContext(), SecondActivity.class);
Implicit Android Intent
Implicit Android Intents is the intent where instead of defining the exact components, you define the action you want to perform. The decision to handle this action is left to the operating system. The OS decides which component is best to run for implicit intents.
Let us see an example:
Intent sendIntent = new Intent();
sendIntent.setAction(Intent.ACTION_SEND);
For more information you may visit below
http://developer.android.com/reference/android/content/Intent.html
According to their documentation:
An Intent is an object that provides runtime binding between separate components (such as two activities). The Intent represents an app’s "intent to do something." You can use intents for a wide variety of tasks, but most often they’re used to start another activity.
Here is the link with example:
http://developer.android.com/training/basics/firstapp/starting-activity.html#BuildIntent
As the document describes, in order to start an activity (you also need to understand what activity is) use the intent like below
/** Called when the user clicks the Send button */
public void sendMessage(View view) {
Intent intent = new Intent(this, DisplayMessageActivity.class);
EditText editText = (EditText) findViewById(R.id.edit_message);
String message = editText.getText().toString();
intent.putExtra(EXTRA_MESSAGE, message);
startActivity(intent);
}
An intent is an abstract description of an operation to be performed. It can be used with startActivity to launch an Activity, broadcastIntent to send it to any interested BroadcastReceiver components, and startService(Intent) or bindService(Intent, ServiceConnection, int) to communicate with a background Service.
For more details see these links :
1). http://developer.android.com/reference/android/content/Intent.html
2) http://developer.android.com/guide/topics/intents/intents-filters.html
3). http://www.vogella.de/articles/AndroidIntent/article.html
there are many more articles are available.
what is Intent ?
It is a kind of message or information that is passed to the components. It is used to launch an activity, display a web page, send sms, send email etc.
There are two types of intents in android:
Implicit Intent
Explicit Intent
Implicit intent is used to invoke the system components
Example
Intent i = newIntent(android.content.Intent.ACTION_VIEW,Uri.parse(“http://www.amazon.com”));
startActivity(i);
Explicit intent is used to invoke the activity class.
Example
Intent intent = newIntent (this, SecondActivity.class);
startActivity(intent);
you can read more
http://www.vogella.com/tutorials/AndroidIntent/article.html#intents_overview
http://developer.android.com/reference/android/content/Intent.html
An Intent is a class,that is bind the information for doing some actions.
example:passing data one activity to another actvity when user perform such actions in
present activity.
In a broad view, we can define Intent as
When one Activity wants to start another activity it creates an Object
called Intent that specifies which Activity it wants to start.
From the paper Deep Dive into Android IPC/Binder Framework atAndroid Builders Summit 2013 link
The intent is understood in some small but effective lines
Android supports a simple form of IPC(inter process communication) via intents
Intent messaging is a framework for asynchronous communication among Android components (activity, service, content providers, broadcast receiver )
Those components may run in the same or across different apps (i.e. processes)
Enables both point-to-point as well as publish subscribe messaging domains
The intent itself represents a message containing the description of the operation to be performed as well as data to be passed to the recipient(s).
From this thread a simple answer of android architect Dianne Hackborn states it as a data container which it actually is.
From android architecture point of view :
Intent is a data container that is used for inter process communication. It is built on top of the Binder from android architecture point of view.
An Android application can contain zero or more activities. When your application has more than one activity, you often need to navigate from one to another. In Android, you navigate between activities through what is known as an intent. You can pass some data to the activity which you want to start through intent, by using putExtra().
Intents are used to initiate another activity from one activity.It is basically used for several purposes such as sending data to another activity from one activity,and for triggering purposes.
They are basically of two types
Implicit intents.
Explicit intents.
As a beginner I know this much,I think this will give some basic idea about android intents
An intent is basically a way of passing data from one activity to other activity