Recipe Name:
Manifest best practices: explicit exported components
Description:
When android:exported is set to true any application will be able to call this component.
Level:
error
Language:
- xml
Tags:
- security
- framework specific
- mobile
- Android
Documentation
The Android best practices and secure coding guidelines make recommendations stating application components shouldn't be accessible to 3rd party applications unless required.
When an android component has the attribute android:exported="true", components of other applications will be able to call the exported component. This could allow an adversary to gain access to sensitive information, trick a user into thinking they're still using the malicious application, or even modify the internal state of the application.
When defining an intent-filter, android components are exported by default. When other applications shouldn't call your component, it's considered good practice to explicitly set the exported value to false.
Before<activity android:exported="true" />After
<activity android:exported="true" />Resources:
Recipe
id: scw:android:explicit-export
version: 10
metadata:
name: 'Manifest best practices: explicit exported components'
shortDescription: When android:exported is set to true any application will be able to call this component.
level: error
language: xml
scwCategory: improper_platform_usage:incorrect_activity_configuration
cweCategory: 926
enabled: true
descriptionFile: descriptions/Manifestbestpracticesdisableexportofandroidcomponents.html
tags: security;framework specific;mobile;Android
search:
attribute:
in:
file:
name: AndroidManifest.xml
name: android:exported
value: "true"
availableFixes:
- name: Change android:exported to false
actions:
- set:
to: "false"