search

ibm-mobile-push / android

BY DOWNLOADING, INSTALLING, COPYING, ACCESSING, CLICKING ON AN “ACCEPT” BUTTON, OR OTHERWISE USING THE PROGRAM, LICENSEE AGREES TO THE TERMS OF THIS AGREEMENT.
https://developer.ibm.com/customer-engagement/mobile-app-messaging/
5 stars 4 forks source link

permissions placed in the wrong place in GcmBroadcastReceiver #6

Open soufianeEssabbane opened 6 years ago

soufianeEssabbane commented 6 years ago

Hi,

based on the documentation and app Demo, the Gcm receiver have some filter-intents that have permission attribute, which is wrong. based on android documentation they don't have them as legal attributes.

<receiver android:name="com.ibm.mce.sdk.gcm.GcmBroadcastReceiver">
            <intent-filter android:permission="com.google.android.c2dm.permission.SEND">
                <action android:name="com.google.android.c2dm.intent.RECEIVE" />
                <category android:name="${applicationId}" />
            </intent-filter>
            <intent-filter android:permission="com.google.android.c2dm.permission.SEND">
                <action android:name="com.google.android.c2dm.intent.REGISTRATION" />
                <category android:name="${applicationId}" />
            </intent-filter>
        </receiver>

it's the receiver that should apply the attribute, actually the GCMBroadcastreceiver is not protected with a permission and the exported attribute is by default set to true, which is a security treat. this should be something like : 

<receiver android:name="com.ibm.mce.sdk.gcm.GcmBroadcastReceiver"
android:permission="com.google.android.c2dm.permission.SEND"
><intent-filter>
                <action android:name="com.google.android.c2dm.intent.RECEIVE" />
                <category android:name="${applicationId}" />
            </intent-filter>
            <intent-filter>
                <action android:name="com.google.android.c2dm.intent.REGISTRATION" />
                <category android:name="${applicationId}" />
            </intent-filter>
        </receiver>