android - broadcast receiver - caller verification

Question

I am writing an Android application wherein I need to receive some broadcasts sent by the system. I want to make sure the broadcasts are indeed sent by the system. I found this OWASP video.

At time 18:00 in the video, the speaker suggests one of the ways to verify the origin of the broadcast is to use (check his slide) :

 Binder.getCallingUid () == Process.SYSTEM_UID

I have tried to test this in my application, but this API gives me the uid of my own application.

I found this explanation from Dianne Hackborn :

 Binder.getCallingUid() returns the UID of the caller when processing 
 an incoming Binder IPC.  The value that is returned will vary depending 
 on whether you are in the context of dispatching an incoming IPC or 
 something else.

 Also, code will often call Binder.clearCallingIdentity() to clear the 
 calling information after it has verified it so that further operations
 are considered to be coming from the current uid.

Also, from the docs :

 Return the Linux uid assigned to the process that sent you the current 
 transaction that is being processed. This uid can be used with 
 higher-level system services to determine its identity and check permissions. 
 If the current thread is not currently executing an incoming transaction, 
 then its own uid is returned.

Given these two explanations, is the API Binder.getCallingUid of any use in life cycle events of Android components (I have tested in onReceive of BroadcastReceiver, onStartCommand of Service) ?

If not, why is OWASP asking us to use it ?

Answer 1

Section 5 of this document explains why the Binder.getCallingUid() is not useful in BroadcastReceiver. It just returns the UID of the executing own application. But it returns a useful value in case you are calling a remote service, e.g. when binding a service using AIDL.