Why is this an issue?

Once an Android component has been exported, it can be used by attackers to launch malicious actions and might also give access to other components that are not exported.

As a result, sensitive user data can be stolen, and components can be launched unexpectedly.

For this reason, the following components should be protected:

• Providers
• Activities
• Activity-aliases
• Services

To do so, it is recommended to either set exported to false, add android:readPermission and android:writePermission attributes, or add a <permission> tag.

Warning: When targeting Android versions lower than 12, the presence of intent filters will cause exported to be set to true by default.

If a component must be exported, use a <permission> tag and the protection level that matches your use case and data confidentiality requirements.
For example, Sync adapters should use a signature protection level to remain both exported and protected.

Noncompliant code example

The following components are vulnerable because permissions are undefined or partially defined:

<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:exported="true"
  android:readPermission="com.example.app.READ_PERMISSION" />  <!-- Noncompliant: write permission is not defined -->

<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:exported="true"
  android:writePermission="com.example.app.WRITE_PERMISSION" />  <!-- Noncompliant: read permission is not defined -->

<activity android:name="com.example.activity.Activity">  <!-- Noncompliant: permissions are not defined -->
  <intent-filter>
    <action android:name="com.example.OPEN_UI"/>
    <category android:name="android.intent.category.DEFAULT"/>
  </intent-filter>
</activity>

Compliant solution

If the component’s capabilities or data are not intended to be shared with other apps, its exported attribute should be set to false:

<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:exported="false" />

Otherwise, implement permissions:

<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:exported="true"
  android:readPermission="com.example.app.READ_PERMISSION"
  android:writePermission="com.example.app.WRITE_PERMISSION" />

<activity android:name="com.example.activity.Activity"
          android:permission="com.example.app.PERMISSION" >
  <intent-filter>
    <action android:name="com.example.OPEN_UI"/>
    <category android:name="android.intent.category.DEFAULT" />
  </intent-filter>
</activity>

Resources

• developer.android.com - Implementing content provider permissions
• Mobile AppSec Verification Standard - Platform Interaction Requirements
• OWASP Mobile Top 10 2016 Category M1 - Improper platform usage
• OWASP Mobile Top 10 2016 Category M2 - Insecure Data Storage
• MITRE, CWE-926 - Improper Export of Android Application Components