Home/ Questions/Q 8295863
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T14:45:25+00:00

Background I know the receiver in the Dungeons manifest (the in app billing example,

  • 0

Background

I know the receiver in the Dungeons manifest (the in app billing example, for those who don’t know) does not include a permission element, yet Lint warns me: “Exported receiver does not require permission (…) Without this, any application can use this receiver”.

If I understood this right, an application could spoof me with fake data (perhaps in a crafted system, not sure), possibly impersonating the Play application and supplying faked billing records.

Questions

  1. Is that right? What are the implications in a regular, consumer Android device?

  2. What I should write into that to expect normal behavior? Which I presume is allowing my receiver to only receive broadcasts from a legitimate Play app. Is it com.android.vending.BILLING? In this case, I think a spoofed system can possibly declare that. That leads to 3:

  3. Should I also compare to well known Google public signatures, to avoid a spoofed system?

Comments

I know some of this may seem too much for some, yet I’m thinking about the theory here. 🙂

Also, I don’t have use for manifest-defined receivers, so I never paid much attention to them. That said, if I’m not getting it right, please correct me. Yes, I did read the documentation before and just now.

Thank you.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The transaction data is signed with a unique key, tied to your developer account. If you are verifying those properly, no one can spoof the transactions.

    As for why there is no permission defined, the way the signature permission system works in Android is like this: you say ‘this broadcast can only be received by an app signed with the same key as the sender’. As obviously your app is signed with a different key than the Google Play app, signature based permissions cannot be used, and this has to be public.

    Technically, you could check who send the broadcast, get the package name for that UID and compare with known Google Play packages. Those tend to change as new versions are released and are different on some devices (most notably Honeycomb devices), so this might not scale too well and give you false alarms.

    • 0