Recipe Name:
Manifest best practices: explicit exported components
Description:
When android:exported is set to true any application will be able to call this component.
Level:
error
Language:
  • xml
Tags:
  • security
  • framework specific
  • mobile
  • Android
Documentation

The Android best practices and secure coding guidelines make recommendations stating application components shouldn't be accessible to 3rd party applications unless required.

When an android component has the attribute android:exported="true", components of other applications will be able to call the exported component. This could allow an adversary to gain access to sensitive information, trick a user into thinking they're still using the malicious application, or even modify the internal state of the application.

When defining an intent-filter, android components are exported by default. When other applications shouldn't call your component, it's considered good practice to explicitly set the exported value to false.

Before
<activity android:exported="true" />
After
<activity android:exported="true" />
Resources:
Recipe
id: scw:android:explicit-export
version: 10
metadata:
  name: 'Manifest best practices: explicit exported components'
  shortDescription: When android:exported is set to true any application will be able to call this component.
  level: error
  language: xml
  scwCategory: improper_platform_usage:incorrect_activity_configuration
  cweCategory: 926
  enabled: true
  descriptionFile: descriptions/Manifestbestpracticesdisableexportofandroidcomponents.html
  tags: security;framework specific;mobile;Android
search:
  attribute:
    in:
      file:
        name: AndroidManifest.xml
    name: android:exported
    value: "true"
availableFixes:
- name: Change android:exported to false
  actions:
  - set:
      to: "false"