If an Android component is exported and no permissions are defined then other mobile apps can interact with it and perform potential unauthorized actions.

For instance, an exported content provider can expose sensitive data, if no permissions are defined, to other mobile apps.

It's highly recommended to implement restrictive permissions on exposed components.

Noncompliant Code Example

In an AndroidManifest.xml file, an exported component is vulnerable when read and write permissions are not defined:

<provider
  android:authorities="com.example.myapp.MyProvider1"
  android:name="com.example.myapp.MyProvider1"
  android:exported="true"
  android:readPermission="com.example.myapp.READ_PERMISSION" />  <!-- Noncompliant: write permission is not defined -->

<provider
  android:authorities="com.example.myapp.MyProvider2"
  android:name="com.example.myapp.MyProvider2"
  android:exported="true"
  android:writePermission="com.example.myapp.WRITE_PERMISSION" />  <!-- Noncompliant: read permission is not defined -->

With an <intent-filter> the component's attibute android:exported default value is "true":

<activity android:name="com.example.activity1">  <!-- Noncompliant: permissions are not defined -->
  <intent-filter>
    <action android:name="com.example.OPEN_UI"/>
    <category android:name="android.intent.category.DEFAULT"/>
  </intent-filter>
</activity>

Compliant Solution

In an AndroidManifest.xml file, if it is not needed to export a component to other apps then set the exported property to false:

<provider
  android:authorities="com.example.myapp.MyProvider1"
  android:name="com.example.myapp.MyProvider1"
  android:exported="false" />  <!-- Compliant -->

Otherwise, implement permissions (protectionLevel value must be defined depending on the sensitivity of the component):

<permission android:name="com.example.myapp.A_PERMISSION"
  android:description="@string/perm_desc_A_PERMISSION"
  android:label="@string/perm_label_A_PERMISSION"
  android:protectionLevel="dangerous" />

<provider
  android:authorities="com.example.myapp.MyProvider2"
  android:name="com.example.myapp.MyProvider2"
  android:exported="true"
  android:permission="com.example.myapp.A_PERMISSION"  />  <!-- Compliant -->

<activity android:name="com.example.activity1"
          android:permission="com.example.myapp.A_PERMISSION">  <!-- Compliant -->
  <intent-filter>
    <action android:name="com.example.OPEN_UI"/>
    <category android:name="android.intent.category.DEFAULT"/>
  </intent-filter>
</activity>

See