Once an Android component has been exported, it can be used by attackers to launch malicious actions and might also give access to other components that are not exported.

As a result, sensitive user data can be stolen, and components can be launched unexpectedly.

For this reason, the following components should be protected:

• Providers
• Activities
• Activity-aliases
• Services

To do so, it is recommended to either set exported to false, add android:readPermission and android:writePermission attributes, or add a <permission> tag.

Warning: When targeting Android versions lower than 12, the presence of intent filters will cause exported to be set to true by default.

If a component must be exported, use a <permission> tag and the protection level that matches your use case and data confidentiality requirements.
For example, Sync adapters should use a signature protection level to remain both exported and protected.

Noncompliant Code Example

The following components are vulnerable because permissions are undefined or partially defined:

<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:exported="true"
  android:readPermission="com.example.app.READ_PERMISSION" />  <!-- Noncompliant: write permission is not defined -->

<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:exported="true"
  android:writePermission="com.example.app.WRITE_PERMISSION" />  <!-- Noncompliant: read permission is not defined -->

<activity android:name="com.example.activity.Activity">  <!-- Noncompliant: permissions are not defined -->
  <intent-filter>
    <action android:name="com.example.OPEN_UI"/>
    <category android:name="android.intent.category.DEFAULT"/>
  </intent-filter>
</activity>

Compliant Solution

If the component’s capabilities or data are not intended to be shared with other apps, its exported attribute should be set to false:

<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:exported="false" />

Otherwise, implement permissions:

<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:exported="true"
  android:readPermission="com.example.app.READ_PERMISSION"
  android:writePermission="com.example.app.WRITE_PERMISSION" />

<activity android:name="com.example.activity.Activity"
          android:permission="com.example.app.PERMISSION" >
  <intent-filter>
    <action android:name="com.example.OPEN_UI"/>
    <category android:name="android.intent.category.DEFAULT" />
  </intent-filter>
</activity>

See

• developer.android.com - Implementing content provider permissions
• Mobile AppSec Verification Standard - Platform Interaction Requirements
• OWASP Mobile Top 10 2016 Category M1 - Improper platform usage
• OWASP Mobile Top 10 2016 Category M2 - Insecure Data Storage
• MITRE, CWE-926 - Improper Export of Android Application Components