When a broadcast receiver in an Android app is being registered and it is not exclusively for system broadcasts, it must explicitly specify either the flag RECEIVER_EXPORTED or RECEIVER_NOT_EXPORTED starting from Android 13 and becoming mandatory on Android 14. This is a new security requirement to define whether the broadcast receiver can receive broadcasts from other apps (RECEIVER_EXPORTED) or is limited to receiving broadcasts only within the app (RECEIVER_NOT_EXPORTED). Failure to specify one of these flags will cause a security exception at runtime. Key points:
- RECEIVER_EXPORTED should be used if the broadcast receiver can accept broadcasts from other apps.
- RECEIVER_NOT_EXPORTED should be used if the broadcast receiver only receives broadcasts within the app, i.e., not exported.
- This requirement applies when registering broadcast receivers programmatically via context.registerReceiver() starting in Android 13 and strictly enforced on Android 14.
- For receivers declared in the Android manifest, the android:exported attribute must be set correspondingly.
- This is designed to improve security by explicitly marking receivers' exposure scope for broadcasts.
Example of registering a receiver programmatically on Android 14 or higher:
java
context.registerReceiver(broadcastReceiver, intentFilter, Context.RECEIVER_EXPORTED);
// or
context.registerReceiver(broadcastReceiver, intentFilter, Context.RECEIVER_NOT_EXPORTED);
If the receiver is only for local app use, LocalBroadcastManager can be used which does not require these flags. This change is enforced to avoid apps accidentally exposing receivers to other apps unintentionally, preventing potential security vulnerabilities.
