If an Android component is exported and no permissions are defined then other mobile apps can interact with it and perform potential unauthorized actions.
For instance, an exported content provider can expose sensitive data, if no permissions are defined, to other mobile apps.
It's highly recommended to implement restrictive permissions on exposed components.
In an AndroidManifest.xml file, an exported component is vulnerable when read and write permissions are not defined:
<provider android:authorities="com.example.myapp.MyProvider1" android:name="com.example.myapp.MyProvider1" android:exported="true" android:readPermission="com.example.myapp.READ_PERMISSION" /> <!-- Noncompliant: write permission is not defined --> <provider android:authorities="com.example.myapp.MyProvider2" android:name="com.example.myapp.MyProvider2" android:exported="true" android:writePermission="com.example.myapp.WRITE_PERMISSION" /> <!-- Noncompliant: read permission is not defined -->
With an <intent-filter> the component's attibute android:exported default value is "true":
<activity android:name="com.example.activity1"> <!-- Noncompliant: permissions are not defined -->
<intent-filter>
<action android:name="com.example.OPEN_UI"/>
<category android:name="android.intent.category.DEFAULT"/>
</intent-filter>
</activity>
In an AndroidManifest.xml file, if it is not needed to export a component to other apps then set the exported property to
false:
<provider android:authorities="com.example.myapp.MyProvider1" android:name="com.example.myapp.MyProvider1" android:exported="false" /> <!-- Compliant -->
Otherwise, implement permissions (protectionLevel value must be defined depending on the sensitivity of the
component):
<permission android:name="com.example.myapp.A_PERMISSION"
android:description="@string/perm_desc_A_PERMISSION"
android:label="@string/perm_label_A_PERMISSION"
android:protectionLevel="dangerous" />
<provider
android:authorities="com.example.myapp.MyProvider2"
android:name="com.example.myapp.MyProvider2"
android:exported="true"
android:permission="com.example.myapp.A_PERMISSION" /> <!-- Compliant -->
<activity android:name="com.example.activity1"
android:permission="com.example.myapp.A_PERMISSION"> <!-- Compliant -->
<intent-filter>
<action android:name="com.example.OPEN_UI"/>
<category android:name="android.intent.category.DEFAULT"/>
</intent-filter>
</activity>