22
   <receiver
        android:name="MyReceiver"
        android:enabled="true"
        android:exported="true">
        <intent-filter>
            <action android:name="android.net.conn.CONNECTIVITY_CHANGE" />
            <action android:name="android.intent.action.BOOT_COMPLETED" />
        </intent-filter>  
  </receiver>

I don't understand if it's needed to be notified. If it were true any app could call my receiver with those actions? So If I make it false the system can send the actions to my receiver?

user3290180
  • 4,260
  • 9
  • 42
  • 77
  • Just read the [official documentation](https://developer.android.com/guide/topics/manifest/receiver-element.html) – dipdipdip Jul 13 '16 at 08:41
  • 4
    for example: "Whether or not the broadcast receiver can receive messages from sources outside its application".... what does it mean outside? Does it involves the system too? – user3290180 Jul 13 '16 at 08:44
  • 1
    Related post - [What is the use of android:exported=“true” in BroadcastReceiver](https://stackoverflow.com/q/27458207/465053) – RBT Sep 08 '18 at 01:26

4 Answers4

30

I don't understand if it's needed to be notified. If it were true any app could call my receiver with those actions? So If I make it false the system can send the actions to my receiver?

Actually, others apps cannot "call your receiver". Other apps can just send broadcast Intents. The System will then call all registered receivers.

In general you shouldn't worry about this. Most of these broadcast Intents are protected so that only system apps can broadcast them anyway. An attempt by another app to broadcast BOOT_COMPLETED, for example, would just be ignored. What would happen if your BroadcastReceiver gets triggered by a rogue app because it broadcast CONNECTIVITY_CHANGE? Probably nothing, because your app should check the real connectivity state in onReceive() anyway, and if there isn't any change you can just ignore it.

Also, you don't need to specify android:enabled="true" because this is the default state. You also don't need to specify android:exported="true" because you have an <intent-filter> attached to your <receiver> which automatically sets android:exported to true.

David Wasser
  • 93,459
  • 16
  • 209
  • 274
  • 8
    Apparently Android 12 requires to set the `android:exported` attribute also for `receiver`. – user905686 Nov 06 '21 at 10:46
  • Just wanted to confirm that the **default value** for `exported` is `true`: https://developer.android.com/guide/topics/manifest/service-element – JCarlosR Jan 19 '22 at 22:48
  • @JCarlosR The **default value** for `exported` is `true` **only if you have `` declared**. Additionally, if your app targets Android 12 or higher and the component has an `` declaration you **must explicitly declare** `exported` (there is no **default value**), see https://developer.android.com/about/versions/12/behavior-changes-12#exported – David Wasser Jan 20 '22 at 10:08
7

If you set android:exported ="false", implies that the receiver is intended only for application-internal use.

Note: This attribute is not the only way to limit a broadcast receiver's external exposure. You can also use a permission to limit the external entities that can send it messages

Gowthaman M
  • 8,057
  • 8
  • 35
  • 54
SaravInfern
  • 3,338
  • 1
  • 20
  • 44
  • 4
    This is wrong. If you set `android:exported="true"`, the receiver is public, not application-internal. Since there is an `` present in the declaration, `android:exported="true"` is redundant because the default setting is `true` if there is an `` present. If you wanted to limit this receiver to application-only, you would need to explicitly set `android:exported="false"`. – David Wasser Jul 14 '16 at 13:54
  • 1
    @DavidWasser sorry my mistake , have edited my answer, thanks for noticing – SaravInfern Jul 14 '16 at 14:17
  • See here for permissions mentioned in the answer: https://developer.android.com/training/permissions/restrict-interactions#broadcast-receivers – VIN Jan 07 '22 at 18:18
0

Adding to @SaravInfern's answer. Here is the relevant permission doc for limiting external entities that can send the receiver messages:

https://developer.android.com/training/permissions/restrict-interactions#broadcast-receivers

VIN
  • 6,385
  • 7
  • 38
  • 77
0

Actual for Android 13. From official documentation:

Whether the broadcast receiver can receive messages from non-system sources outside its application. It's "true" if it can, and "false" if not. If "false", the only messages the broadcast receiver receives are those sent by the system, components of the same application, or applications with the same user ID. If unspecified, the default value depends on whether the broadcast receiver contains intent filters. If the receiver contains at least one intent filter, then the default value is "true". Otherwise, the default value is "false".

So if you receive intents from other apps (not from system) you should set it to true, otherwise false. You can check if intent is system in this list for API 31. For other API's you need to find the file broadcast_actions.txt inside platforms/android-${VERSION}/data path (replace ${VERSION} with target sdk version).

Alex Misiulia
  • 1,542
  • 17
  • 16