org.sonar.l10n.xml.rules.xml.S7207.html Maven / Gradle / Ivy
The android:exported attribute in Android Manifest files controls whether a component, for example an activity or service, can be
started by other applications. When android:exported is not explicitly set, Android versions prior to API level 31 implicitly treat the
component as if android:exported="true" were declared. This implicit export behavior could potentially lead to unintended access to the
component and any data it manages.
Why is this an issue?
The core issue lies in the potential for unintended exposure. Developers may design components with the expectation that they are only accessible
within their application. However, due to the implicit export behavior in older Android versions when android:exported is not set, these
components become publicly accessible without the developer’s explicit configuration. This discrepancy between intended design and actual behavior can
create security vulnerabilities, as components designed for internal use may not have the necessary security measures to handle external, potentially
malicious, interactions.
What is the potential impact?
When an Android component is unintentionally exported, it can expose the application to several potential security and functional risks.
Essentially, components designed for internal application use become accessible to external applications, potentially leading to unintended
consequences.
Data exposure and leakage
One significant potential impact is the unintended exposure of sensitive data. If the implicitly exported component handles or processes user data,
personal information, API keys, or other confidential information, a malicious application could potentially interact with this component to extract
or intercept such data. This could lead to privacy violations, identity theft, or other forms of data breaches, depending on the nature and
sensitivity of the exposed information.
Unauthorized execution of functionality
Beyond data exposure, an implicitly exported component can also enable unauthorized execution of application functionalities. Malicious
applications might be able to leverage the exported component to trigger actions or workflows within your application that were intended for internal
use only. This could result in unintended modifications to application state, bypassing of intended security controls, or even the exploitation of
vulnerabilities within the component’s exposed functionality, leading to unpredictable or harmful behavior of the application.
How to fix it
Code examples
Noncompliant code example
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools">
<application>
<activity android:name=".ExampleActivity">
<intent-filter>
<action android:name="com.sonar.demo.SAMPLE_ACTION" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</activity>
</application>
</manifest>
Compliant solution
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools">
<application>
<activity android:name=".ExampleActivity"
android:exported="true">
<intent-filter>
<action android:name="com.sonar.demo.SAMPLE_ACTION" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</activity>
</application>
</manifest>
Resources
Documentation
- Android Documentation - android:exported
- Android Documentation - Understanding common security risks
- android:exported
Standards
- OWASP - Top 10 2021 Category A1 - Broken Access Control
- OWASP - Top 10 2021 Category A4 - Insecure Design
- OWASP - Mobile Top 10 2024 Category M8 -
Security Misconfiguration
- CWE - CWE-926 - Improper Export of Android Application Components
- CWE - CWE-284 - Improper Access Control
- CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource