Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

XML static code analysis

Unique rules to find Bugs and Code Smells in your XML code

Exported component access should be restricted with appropriate permissions

Vulnerability

MajorSonarSource default severity
click to learn more

Once an Android component has been exported, it can be used by attackers to launch malicious actions and might also give access to other components that are not exported.

As a result, sensitive user data can be stolen, and components can be launched unexpectedly.

For this reason, the following components should be protected:

Providers
Activities
Activity-aliases
Services

To do so, it is recommended to either set exported to false, add android:readPermission and android:writePermission attributes, or add a <permission> tag.

Warning: When targeting Android versions lower than 12, the presence of intent filters will cause exported to be set to true by default.

If a component must be exported, use a <permission> tag and the protection level that matches your use case and data confidentiality requirements.
For example, Sync adapters should use a signature protection level to remain both exported and protected.

Noncompliant Code Example

The following components are vulnerable because permissions are undefined or partially defined:

<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:exported="true"
  android:readPermission="com.example.app.READ_PERMISSION" />  <!-- Noncompliant: write permission is not defined -->

<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:exported="true"
  android:writePermission="com.example.app.WRITE_PERMISSION" />  <!-- Noncompliant: read permission is not defined -->

<activity android:name="com.example.activity.Activity">  <!-- Noncompliant: permissions are not defined -->
  <intent-filter>
    <action android:name="com.example.OPEN_UI"/>
    <category android:name="android.intent.category.DEFAULT"/>
  </intent-filter>
</activity>

Compliant Solution

If the component’s capabilities or data are not intended to be shared with other apps, its exported attribute should be set to false:

<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:exported="false" />

Otherwise, implement permissions:

<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:exported="true"
  android:readPermission="com.example.app.READ_PERMISSION"
  android:writePermission="com.example.app.WRITE_PERMISSION" />

<activity android:name="com.example.activity.Activity"
          android:permission="com.example.app.PERMISSION" >
  <intent-filter>
    <action android:name="com.example.OPEN_UI"/>
    <category android:name="android.intent.category.DEFAULT" />
  </intent-filter>
</activity>

See

developer.android.com - Implementing content provider permissions
Mobile AppSec Verification Standard - Platform Interaction Requirements
OWASP Mobile Top 10 2016 Category M1 - Improper platform usage
OWASP Mobile Top 10 2016 Category M2 - Insecure Data Storage
MITRE, CWE-926 - Improper Export of Android Application Components

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted