search

AppsFlyerSDK / appsflyer-android-sdk

AppsFlyer Android SDK
Other
9 stars 2 forks source link

Security issue on SingleInstallBroadcastReceiver #31

Closed anjalsaneen closed 1 year ago

anjalsaneen commented 3 years ago

Version: 5.2.0

On the documentation, it mentioned the code for SingleInstallBroadcastReceiver like this. 

<!—The AppsFlyer Install Receiver is first and will broadcast to all receivers placed below it -->
<receiver android:name="com.appsflyer.SingleInstallBroadcastReceiver" android:exported="true">
  <intent-filter>
     <action android:name="com.android.vending.INSTALL_REFERRER" />
  </intent-filter>
</receiver>
<!—All other receivers should follow right after -->

SingleInstallBroadcastReceiver Broadcast receiver is accessing publicly here due to android:exported="true". is it needed to make exportable="true". This flag indicates whether the given application component is available to other applications. it's a security vulnerability. Can we make this as android:exported="false"?

github-actions[bot] commented 1 year ago

This issue is closed due to inactivity. If the issue continue, please open a new one.