On Wed, May 16, 2012 at 9:39 AM, Kristopher Micinski <[email protected]> wrote: >> 2) Not every intent is supposed to be public > > I don't think these are hard to figure out statically, though, so you > can just throw those out.
In theory, yes. A <receiver> for a non-public broadcast Intent, for example, should have android:exported="false", just as a <provider> for an internal-use-only ContentProvider should have android:exported="false", and an <activity> or <service> with an <intent-filter> but, for whatever reason, is still internal-use-only, should have android:exported="false". In practice, I am willing to bet a substantial sum of money that there are tens of thousands of apps on the Play Store that violate those rules. In effect, they are exposing a public API without intending to support such behavior. This is particularly true with <provider>, since the default behavior is for it to be exported (vs. everything else needing an <intent-filter> to be exported by default). Just assuming that "if it's exported, everyone should use it" is an invalid assumption, IMHO. Also, AFAICT, a BroadcastReceiver registered via registerReceiver() is always exported, insofar as you cannot put something in the registerRecevier() call or IntentFilter to say "please, I only want local broadcasts". On the plus side, with LocalBroadcastManager, we can start moving away from using registerReceiver() for purely private stuff. -- Mark Murphy (a Commons Guy) http://commonsware.com | http://github.com/commonsguy http://commonsware.com/blog | http://twitter.com/commonsguy Warescription: Three Android Books, Plus Updates, One Low Price! -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
