Context Registered Broadcast Receivers Not Protected with Permissions

[swati-spec]

Describe your issue. If applicable, add screenshots to help explain your problem.

Hi Team, In one of security assessment tool we are facing an issue related to broadcast receiver method registerReceiver, please check logs for this. The issue highlight is "Context Registered Broadcast Receivers Not Protected with Permissions".

    {
      "type": "java",
      "context": {
        "flags": [],
        "source": {
          "line": 3,
          "name": "com/google/mlkit/common/sdkinternal/model/com.google.mlkit:common@@18.8.0"
        },
        "signature": "Landroid/content/Context;,registerReceiver,(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;Ljava/lang/String;Landroid/os/Handler;)Landroid/content/Intent;",
        "class_name": "android.content.Context",
        "method_name": "registerReceiver"
      }
    }

Steps to reproduce.

integrate google_mlkit_text_recognition: 0.13.0
into flutter app and use security analysis tools like nowsecure

What is the expected result?

Ensure Receivers Are Not Exported:

For Apps Targeting Android 13 or Higher: When registering a receiver, set Context.RECEIVER_NOT_EXPORTED to ensure it is not accessible by external apps.

registerReceiver(receiver, intentFilter, null, handler, Context.RECEIVER_NOT_EXPORTED)

For Apps Targeting Android 12 or Lower: Use ContextCompat.RECEIVER_NOT_EXPORTED in the int flags of ContextCompat.registerReceiver(Context, BroadcastReceiver, IntentFilter, int) or ContextCompat.registerReceiver(Context, BroadcastReceiver, IntentFilter, String, Handler, int).

registerReceiver(receiver, intentFilter, null, handler, ContextCompat.RECEIVER_NOT_EXPORTED)

Did you try our example app?

Yes

Is it reproducible in the example app?

Yes

Reproducible in which OS?

Android

Flutter/Dart Version?

3.27.0 flutter
3.6 dart

Plugin Version?

google_mlkit_text_recognition: 0.13.0
google_mlkit_text_recognition: 0.14.0