I read loast of tutorials about how to make an app start at system boot (Link, Link...).
My receiver looks like this, the rest like described in the tutorials:
<receiver android:enabled="true" android:name=".BootUpReceiver"
android:permission="android.permission.RECEIVE_BOOT_COMPLETED">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED" />
</intent-filter>
</receiver>
But my app just won't start... any ideas?
Too stuipid!
You need to add the full path to the receiver class:
<receiver android:enabled="true" android:name="com.mypackage.whatever.BootUpReceiver"
My receiver looks like this, the rest like described in the tutorials
Your <receiver> element is incorrect. You are requiring that the sender of the broadcast hold the RECEIVE_BOOT_COMPLETED permission, which may or may not be true. Please remove the android:permission attribute. If needed, add RECEIVE_BOOT_COMPLETED as a <uses-permission> element, to say that you wish to hold that permission.
Related
I know that I can start activity on boot by calling it from a BroadcastReceiver but what if I wanted to do the following:
<activity
android:name="MyActivity"
android:permission="android.permission.RECEIVE_BOOT_COMPLETED">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED" />
</intent-filter>
</activity>
is this possible? and how?
is this possible?
No.
First, android.intent.action.BOOT_COMPLETED is a broadcast Intent. You cannot respond to it via an <activity> or <service> manifest element.
Second, android:permission="android.permission.RECEIVE_BOOT_COMPLETED will prevent anything from starting your activity, unless it also holds RECEIVE_BOOT_COMPLETED. That is not how you usually use that particular permission.
Following the Google developer instructions on implementing Firebase in my app, I notice that android lint complains.
The idea is that we have to implement two services which inherit from Firebase services:
public class MyFirebaseInstanceIDService extends FirebaseInstanceIdService { ... }
public class MyFirebaseMessagingService extends FirebaseMessagingService { ... }
and then register those services in the manifest. But, it's not quite perfect. In particular, these two recommended AndroidManifest.xml service entries do not contain any special permissions:
<service android:name=".MyFirebaseMessagingService">
<intent-filter>
<action android:name="com.google.firebase.MESSAGING_EVENT"/>
</intent-filter>
</service>
<service android:name=".MyFirebaseInstanceIDService">
<intent-filter>
<action android:name="com.google.firebase.INSTANCE_ID_EVENT"/>
</intent-filter>
</service>
and so the linter says:
Exported services (services which either set exported=true or contain an intent-filter and do not specify exported=false) should define a permission that an entity must have in order to launch the service or bind to it. Without this, any application can use this service.
Should I just add this attribute to each service tag and be done with it
tools:ignore="ExportedService"
or is there a better approach in this situation? I mean, is it safe to expose these particular Firebase derived services like this?
You ask: ...is it safe to expose these particular Firebase derived services like this? It is if you trust the comments in the manifest files for these services.
In Android Studio, open your app's AndroidManifest.xml file. At the bottom of the window, select the tab for Merged Manifest. Scroll to find the entry for FirebaseMessagingService. Double-click on the line that contains the service name. The manifest file for the service should open and you will see this:
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.google.firebase.messaging">
<uses-sdk android:minSdkVersion="14"/>
<application>
<!-- FirebaseMessagingService performs security checks at runtime,
no need for explicit permissions despite exported="true" -->
<service android:name="com.google.firebase.messaging.FirebaseMessagingService" android:exported="true">
<intent-filter android:priority="-500">
<action android:name="com.google.firebase.MESSAGING_EVENT"/>
</intent-filter>
</service>
</application>
</manifest>
Note the comment: FirebaseMessagingService performs security checks at runtime, no need for explicit permissions despite exported="true"
You can do the same for FirebaseInstanceIdService and see the same comment.
If you trust the comments (I do), you can safely ignore the lint warnings or disable the checks.
<service android:name=".java.MyFirebaseMessagingService"
android:exported="false">
<intent-filter>
<action android:name="com.google.firebase.MESSAGING_EVENT" />
</intent-filter>
</service>
Based on the official code sample, it's safe to set exported=false
I have some receivers declared in my AndroidManifest :
<!-- no warning -->
<receiver
android:name=".receivers.TriggerMonitoringBootReceiver"
android:enabled="false">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED" />
</intent-filter>
</receiver>
<!-- no warning -->
<receiver
android:name=".receivers.ScanResultsReceiver"
android:enabled="false">
<intent-filter>
<action android:name="android.net.wifi.SCAN_RESULTS" />
</intent-filter>
</receiver>
<!-- warning : Exported receiver does not require permission-->
<receiver
android:name=".receivers.BatteryMonitoringReceiver"
android:enabled="false">
<intent-filter>
<action android:name="#string/intent_action_setup_alarm" />
<action android:name="#string/intent_action_cancel_alarm" />
<action android:name="#string/intent_action_monitor" />
</intent-filter>
</receiver>
The first one is meant to receive a BOOT_COMPLETED action. The second is meant to receive android.net.wifi.SCAN_RESULTS. The third one is meant to receive some actions I broadcast (intent_action_monitor) and some actions broadcasted by the AlarmManager (intent_action_setup_alarm etc).
Two questions:
Why don't I get the warning on all receivers?
What permissions do I need to set for receivers meant to receive from system services to correct the warning (I understand what it is about and I don't want anyone to use my receivers anyway) ? Will exported="false" do for boot receivers, wifi receivers, alarm receivers etc?
I thought of using a custom permission with android:protectionLevel="signatureOrSystem" but the docs advise against both this protection level and custom permissions. So how I should handle this warning ?
Links to the docs and/or some code will be much appreciated.
Why don't I get the warning on all receivers ?
Because the first two are clearly designed to be broadcast by Android. The last one is unknown, partly because you did not supply the string resource values, and possibly because they are your own unique action strings.
What permissions do I need to set for receivers meant to receive from system services to correct the warning
The correct solution is to delete the <intent-filter>. If you are broadcasting these Intents, or if you are wrapping an Intent in a getBroadcast() PendingIntent, you do not need action strings. Use the Intent constructor that takes the Java class object as the second parameter, and use that:
new Intent(this, BatteryMonitoringReceiver.class)
You are welcome to still attach an action string to that Intent, if you want, but you can dump the <intent-filter> (routing will be based on the supplied component, in this case the Java class).
Only use an <intent-filter> when you are expecting the OS or third-party apps to initiate the Intent themselves (executing a PendingIntent that you created does not count).
The warning "Exported receiver does not require permission" means, You have an intent-filter with some action (which means by default you have android:exported="true" set and it can now receive broadcasts from ANY broadcasters outside of your application) Since it can receive broadcasts from ANY broadcasters outside of your application, it warns you by saying "Hey, are you sure ANY broadcaster can invoke you? In my opinion, it is better if you allow only those broadcasters to invoke you that has the permission you have set for this receiver through android:permission"
You can remove this warning by adding android:exported="false" to the receiver tag
If you do want to export your receiver to other processes, you can add your own permission definition in your android-manifest file for avoiding this warning, like
<permission
android:name="com.yourpage.permission.YOUR_PERMISSION"
android:protectionLevel="normal" />
<uses-permission
android:name="com.yourpage.permission.YOUR_PERMISSION" />
<receiver <!-- warning : Exported receiver does not require permission-->
android:name=".receivers.BatteryMonitoringReceiver"
android:permission="com.yourpage.permission.YOUR_PERMISSION"
android:enabled="false" >
<intent-filter>
<action android:name="#string/intent_action_setup_alarm" />
<action android:name="#string/intent_action_cancel_alarm" />
<action android:name="#string/intent_action_monitor" />
</intent-filter>
</receiver>
for more information, you can refer to http://developer.android.com/training/articles/security-tips.html
If, like me, you are here because your app built with a previous SDK version stopped working with more recent versions and you would like to fix it with minimal change, just add
android:exported=false
to the receiver tag in the manifest file. The solution by CommonsWare is obviously the one to go with for the long term but this fixes the issue temporarily if you are using custom intents and don't mean to export them.
Going by Lubo's way, you would need to export this custom permission, which would prompt the user before installation. That means the descriptive text for the permission needs to be well written so you don't end up scaring the user into changing his mind about installing the app. Also, it would need to be translated into all your target languages.
To hide this warning, add tools:ignore="ExportedReceiver" to the receiver:
<receiver
android:name=".MyReceiverIndentedForOtherAppsWithoutPermissions"
tools:ignore="ExportedReceiver">
<intent-filter>
<action android:name="com.my.app.CUSTOM_ACTION" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</receiver>
I have following receiver that listens to Boot_Completed
<receiver android:name=".receivers.ActionBootCompletedReceiver">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED"/>
<category android:name="android.intent.category.HOME"/>
</intent-filter>
</receiver>
I want to add another intent-filter with my own custom action. And make it private to my app if possible. This is mostly for code reuse so I can run same code path as when BOOT_COMPLETED.
So, I need following (if it's even possible)
1. intent-filter and make it private to my app
2. Code to send that intent so my receiver get's it.
Thanks!
Just use another <action> tag! It is all you need to register receiver for an particular intent.
i have a service in one application and i want to use that service in one more application.so inoder to start or stop or bind with the service should i need to set any permission?if yes what are the permissions?
#Durga
first of all you have to make one services class for example TestService.java
(1)TestServices.java
now you have to require for permission in menifest.xml
<service
android:name=".TestService"
android:enabled="true" />
<receiver android:name="com.yourpackage.AutoStart" >
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED" />
</intent-filter>
</receiver>
now you have to call your services in any activity.
in my case i used receiver to start services in when device is first Boot.
Kindly check the following url ... Hopefully it will be useful for you
Basic of Android