Security: protect EventsReceiver with signature-level permission

[jdickey1]

Summary

• Add signature-level custom permission to EventsReceiver to prevent message state spoofing by other apps
• Add explicit android:exported="false" to WebService declaration

Problem

The EventsReceiver BroadcastReceiver is declared android:exported="true" without permission protection. Any app on the device can send forged ACTION_SENT/ACTION_DELIVERED intents with arbitrary dataString (parsed as "$id|$phoneNumber") and resultCode to:

• Mark pending messages as delivered (forging delivery confirmation)
• Mark messages as failed (denial of service)

Fix

Declare a custom permission with android:protectionLevel="signature" and apply it to the receiver. This ensures only the SMS Gateway app itself (or apps signed with the same certificate) can trigger delivery state updates.

Test plan

• Build and install the APK
• Send an SMS and verify delivery tracking still works
• Verify that a test app attempting to send ACTION_SENT intent is blocked by the permission

🤖 Generated with Claude Code

Summary by CodeRabbit

• Security Updates
  • Introduced a new permission system to restrict access to SMS-related events
  • Enhanced service security by preventing unauthorized external access
  • Implemented signature-based permission verification controls

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cfcf3c5f-2b58-449a-a579-06577930d731

📥 Commits

Reviewing files that changed from the base of the PR and between 4d6169b and 1d597c6.

📒 Files selected for processing (1)

• app/src/main/AndroidManifest.xml

---

Walkthrough

A custom permission with signature-level protection was introduced. The EventsReceiver receiver was updated to require this permission while remaining exported. The WebService service was explicitly set to non-exported, changing from default export behavior.

Changes

Cohort / File(s)	Summary
Permission & Security Configuration app/src/main/AndroidManifest.xml	Added custom permission me.capcom.smsgateway.permission.SMS_STATUS with signature protection level. Updated EventsReceiver to require this permission. Explicitly set WebService to non-exported.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main security change: adding signature-level permission protection to EventsReceiver, which is the primary objective of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[capcom6]

Hello!

Thank you for your PR.

However, to exploit this vulnerability, you'll need access to the device to install an additional app. You'll then need to know the message ID and phone number for the spoofing.

Marking a message as "Failed" won't trigger a DoS attack, as the app itself doesn't allow for retries.
Marking pending messages as sent/delivered will stop them from being sent. This is bad, but no worse than someone being able to access your phone to install apps.

I'll review the PR in more detail later.

[github-actions]

This PR is stale because it has been open for 7 days with no activity.