Implicitly exported Android component¶
ID: java/android/implicitly-exported-component
Kind: problem
Security severity: 8.2
Severity: warning
Precision: high
Tags:
- security
- external/cwe/cwe-926
Query suites:
- java-code-scanning.qls
- java-security-extended.qls
- java-security-and-quality.qls
Click to see the query in the CodeQL repository
The Android manifest file defines configuration settings for Android applications. In this file, components can be declared with intent filters which specify what the components can do and what types of intents the components can respond to. If the android:exported attribute is omitted from the component when an intent filter is included, then the component will be implicitly exported.
An implicitly exported component could allow for improper access to the component and its data.
Recommendation¶
Explicitly set the android:exported attribute for every component or use permissions to limit access to the component.
Example¶
In the example below, the android:exported attribute is omitted when an intent filter is used.
<manifest ... >
<application ...
<!-- BAD: this component is implicitly exported -->
<activity>
android:name=".Activity">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
</intent-filter>
</activity>
</application>
</manifest>
A corrected version sets the android:exported attribute to false.
<manifest ... >
<application ...
<!-- GOOD: this component is not exported due to 'android:exported' explicitly set to 'false'-->
<activity>
android:name=".Activity">
android:exported="false"
<intent-filter>
<action android:name="android.intent.action.VIEW" />
</intent-filter>
</activity>
</application>
</manifest>
References¶
Android Developers: App Manifest Overview.
Android Developers: The <intent-filter> element.
Android Developers: The android:exported attribute.
Android Developers: The android:permission attribute.
Android Developers: Safer component exporting.
Common Weakness Enumeration: CWE-926.