Broadcast receivers not protected with Permissions

[digvijaybec]

Is this a support request? No

Describe the bug We are using Launch darkly in our app, there is a bug reported by security scan. Broadcast receivers not protected with Permissions and can leak data to other apps.

Receiver name com.launchdarkly.sdk.android.ConnectivityReceiver class name com.launchdarkly.sdk.android.LDClient method ()

If this is an issue, please provide a fix. If not our security team needs an explanation on this to prove this as not issue.

Requesting your help with this.

To reproduce Security scan by nowsecure and checkmarx.

Expected behavior This vulnerability should not be reported in scan report.

Logs If applicable, add any log output related to your problem.

SDK version 3.1.1

Language version, developer tools Android studio

OS/platform Android

Additional context Add any other context about the problem here.

[gwhelanLD]

Hi @digvijaybec,

The com.launchdarkly.sdk.android.ConnectivityReceiver is used to receive notifications of when the device's network connectivity state changes. Depending on the target version of the application, the receiver is either declared in the manifest or configured when initializing the LDClient. In both cases the BroadcastReceiver has an intent filter that only listens for the android.net.conn.CONNECTIVITY_CHANGE action. This broadcast is sent by the system, not the SDK so there is no possibility of leaking data to other applications.

Thanks, @gwhelanLD

[digvijaybec]

@gwhelanLD Thank you so much for your response. I hope this helps in closing the issue from our security scan.

[eli-darkly]

Closing this issue since it does not seem to represent an actual security vulnerability. Please feel free to reopen if there is still a concern.