Broadcast receivers not protected with Permissions

[digvijaybec]

Is this a support request?
No

Describe the bug
We are using Launch darkly in our app, there is a bug reported by security scan. Broadcast receivers not protected with Permissions and can leak data to other apps.

Receiver name com.launchdarkly.sdk.android.ConnectivityReceiver
class name com.launchdarkly.sdk.android.LDClient
method ()

If this is an issue, please provide a fix.
If not our security team needs an explanation on this to prove this as not issue.

Requesting your help with this.

To reproduce
Security scan by nowsecure and checkmarx.

Expected behavior
This vulnerability should not be reported in scan report.

Logs
If applicable, add any log output related to your problem.

SDK version
3.1.1

Language version, developer tools
Android studio

OS/platform
Android

Additional context
Add any other context about the problem here.

[gwhelanLD]

Hi @digvijaybec,

The com.launchdarkly.sdk.android.ConnectivityReceiver is used to receive notifications of when the device's network connectivity state changes. Depending on the target version of the application, the receiver is either declared in the manifest or configured when initializing the LDClient. In both cases the BroadcastReceiver has an intent filter that only listens for the android.net.conn.CONNECTIVITY_CHANGE action. This broadcast is sent by the system, not the SDK so there is no possibility of leaking data to other applications.

Thanks,
@gwhelanLD

[digvijaybec]

@gwhelanLD Thank you so much for your response. I hope this helps in closing the issue from our security scan.

[eli-darkly]

Closing this issue since it does not seem to represent an actual security vulnerability. Please feel free to reopen if there is still a concern.