65

I see that some broadcast receiver use this tag android:exported="true" in Android Manifest.xml to register.

<receiver android:exported="true" android:name="com.flyingsoftgames.googleplayquery.QueryReceiver">
    <intent-filter>
       <action android:name="com.android.vending.INSTALL_REFERRER" />
    </intent-filter>
</receiver>

What exactly the use of android:exported="true" to register broadcast receiver in Android?

starball
  • 20,030
  • 7
  • 43
  • 238
N Sharma
  • 33,489
  • 95
  • 256
  • 444

2 Answers2

82

From the Developer Guide:

android:exported Whether or not the broadcast receiver can receive messages from sources outside its application — "true" if it can, and "false" if not. If "false", the only messages the broadcast receiver can receive are those sent by components of the same application or applications with the same user ID. The default value depends on whether the broadcast receiver contains intent filters. The absence of any filters means that it can be invoked only by Intent objects that specify its exact class name. This implies that the receiver is intended only for application-internal use (since others would not normally know the class name). So in this case, the default value is "false". On the other hand, the presence of at least one filter implies that the broadcast receiver is intended to receive intents broadcast by the system or other applications, so the default value is "true".

This attribute is not the only way to limit a broadcast receiver's external exposure. You can also use a permission to limit the external entities that can send it messages (see the permission attribute).

Mou
  • 2,027
  • 1
  • 18
  • 29
  • Hi @Mou, Is there any security risk if android:exported is not declared? – Renz Manacmol Jun 26 '19 at 03:58
  • 1
    what does "user ID" referred to here "the only messages the broadcast receiver can receive are those sent by components of the same application or applications with the same user ID" – Rishabh Dhiman Aug 21 '19 at 07:22
  • 1
    @RishabhDhiman the "user ID" here mostly refers to the application id – Simran Sharma Aug 01 '21 at 04:12
  • 3
    @renzvader apps targeting Android 12 will not build if exported is not declared Manifest merger failed: Apps targeting Android 12 and higher are required to specify an explicit value for android: exported when the corresponding component has an intent filter defined. See https://developer.android.com/guide/topics/manifest/activity-element#exported for details. – rosu alin Nov 24 '21 at 12:01
56

android:exported

true : broadcast receiver can receive events sent by same or others applications

false‍ : broadcast receiver can receive events sent by same application

CopsOnRoad
  • 237,138
  • 77
  • 654
  • 440
Haresh Chhelana
  • 24,720
  • 5
  • 57
  • 67
  • 14
    So if I want to listen to system events (i.e. Bluetooth on/off state), I should use **exported=true**? – IgorGanapolsky Aug 09 '17 at 20:53
  • 2
    @IgorGanapolsky In that case you don't have to use this attribute. – CopsOnRoad Jan 24 '18 at 14:23
  • 4
    https://developer.android.com/guide/topics/manifest/receiver-element.html#exported default value depends upon presence of intent filter – Shubham AgaRwal Apr 01 '19 at 09:37
  • @CopsOnRoad same goes for wear communication as well? should I make exported=false for app Broadcast receiver that is used for widget and wear communication? – Fakhar Jul 26 '22 at 07:31