Android permission to limit INSTALL_REFERRER to play store

You need to set android:permission attribute on your receiver. So that it will look something like this:

<receiver
        android:name=".referrals.MyCampaignTrackingReceiver"
        android:enabled="true"
        android:exported="true"
        android:permission="android.permission.CLEAR_APP_CACHE">
    <intent-filter>
        <action android:name="com.android.vending.INSTALL_REFERRER"/>
    </intent-filter>
</receiver>

Usage of "android.permission.CLEAR_APP_CACHE" here is arbitrary, you can use any permission that Play Store has AND is not possible for third-party apps to have (because CLEAR_APP_CACHEs protection level is system|signature only system apps or apps signed with the same certificate as the application that declared this permission; in this case the platform). For example, looking through Play Store's manifest suggests, "com.android.vending.permission.C2D_MESSAGE" could be another good candidate.

Hope this helps.

INSTALL_REFERRER broadcast permission is not a great concern. Assuming you know you need to handle this broadcast only once, right after install, and you take measures to handle it only once, an attacker will have to know when your app has been installed and somehow send this broadcast before the playstore app, which seems unlikely.