2

I'm installing the code snippet found here for the AndroidManifest. And then the subsequent steps here.

I have two, possibly related, questions.

1: Necessary Libraries?

Firstly, I'm concerned that I have the necessary libraries installed. If I put a bogus path in the AndroidManifest file here, Eclipse doesn't complain at all. So to test it, I went into a java file and put:

import com.google.analytics.tracking.android.CampaignTrackingReceiver;

As it turns out, I have that installed via the segment.io library. But what about com.android.vending.INSTALL_REFERRER?

import com.android.vending.INSTALL_REFERRER;

"...cannot be resolved..."

import com.android.vending;

"...resolves to a package...". Does that mean it has the package but not that particular symbol?

import com.android.bogus;

"...cannot be resolved..."

Seems to be the case.

So, what to make of this? The reason I'm worried is that I have had a situation (Apache http libraries) where one .jar file gave the compiler awareness of the import paths, but not the implementation. I had to add another jar file to get that. Of course I find this out when the app crashes. I could just try it out, except that conveniently enough, because of the nature of this feature, this thing only gets triggered after the user has the app installed from the Play store. Yikes.

Looking around, it looks like I would have to install a separate library if I wanted com.android.vending.billing. Not sure what that says about com.android.vending.

2: Warning: "Exported receiver does not require permission"

Secondly, I get the warning "Exported receiver does not require permission", highlighting this line:

<receiver android:name="com.google.analytics.tracking.android.CampaignTrackingReceiver" android:exported="true">

Other stackoverflow answers for this haven't helped me yet. On this one, the best I could gather was that maybe the <intent-filter> should have been deleted, but no.

Making external="false" fixes it, but as I understand also makes this whole thing useless, since it's triggered from outside the app. Not really sure what to make of this. Is this a security issue?

Community
  • 1
  • 1
orblivion
  • 446
  • 3
  • 12
  • "But what about com.android.vending.INSTALL_REFERRER?" -- that is a string. It is not a class. If you need to refer to this string from Java code, use `"com.android.vending.INSTALL_REFERRER"`, or see if there is some `public static final` data member of some class that contains this string. "Is this a security issue?" -- Lint is pointing out that anything can send broadcasts to your receiver. See if the documentation for this broadcast mentions an `android:permission` attribute you can provide to lock it down better. – CommonsWare Mar 21 '14 at 22:46

1 Answers1

0

Ok I can answer my own question for 1). this gives you a way to test the intent before putting it on the play store.

And the conclusion is that no, there's no jar to install beyond Google Analytics. My app did not crash, and I got the expected response. (However, for others using segment.io, I should note that I haven't gotten it to work with that integration just yet. I'm working on that, not sure if it's possible. For now I put the GA stuff directly as described in the instructions.)

Unless there's the off-chance something else I installed and forgot about gave it to me. I also have Google Play Services lib as a separate project, maybe it's in there. In any case, do the above test, you should make sure it works anyway.

orblivion
  • 446
  • 3
  • 12
  • Did you come to any conclusions regarding the attributes? My thoughts (assuming that you target Android Oreo): - android:exported="true" is needed (some other app must be able to broadcast this?) - Intent-filter for action "com.android.vending.INSTALL_REFERRER" is to be used (?) - Declaration of com.google.android.gms.analytics.CampaignTrackingService can be removed from the manifest (see: https://developers.google.com/android/guides/releases) – Alix Oct 13 '17 at 09:15
  • Some changes have been made for receivers and their declarations but I don't know whether these Google Play receivers are to be considered "implicit": https://developer.android.com/about/versions/oreo/android-8.0-migration.html – Alix Oct 13 '17 at 09:17