default value for android: exported


Regarding android: exported for Android Manifest It is said that android: exported = "false" is not always set by default if not specified.

Conclusion

It is safer to explicitly specify all exported attributes

Reason

Because it may be unintentionally published to an external application

    1. If the Activity exported is not specified, true / false is determined depending on whether the intent-filter is defined. --Definition of intent-filter Yes: android: exported = "true" (published to external application) --Intent-filter not defined: android: exported = "false" (private to external apps)

If you inadvertently define an intent-filter without specifying exported, The activity can also be started from an external application. image.png

Furthermore, the implicit intent thrown to activate the activity will also be received by external apps. image.png

  1. The default of Provider exported behaves differently depending on the OS version.
    --True by default up to Android 4.2 (API Level 17)
    --From Android 4.3 (API Level 18), false by default

If you inadvertently specify exported and include minSdkVersion 17 or less Public / private will change depending on the OS version.

I don't think it's a problem if I can't see AndroidManifest.xml. .. ..

Take a look at AndroidManifest.xml, an app on Google Play.

  1. Install the app you want to see Android Manifest on your Android device

  2. Check the package name of the app from Google Play You can check it with the URL of the app page https://play.google.com/store/apps/details?id=【target package name】

  3. Check the full path with the adb command

>adb shell pm list packages -f 【target package name】 package:/data/app/【target package name】-1/base.apk=【target package name】

  1. Pull the apk to your PC using adb

> adb pull /data/app/【target package name】-1

  1. Change the apk extension to zip image.pngimage.png

  2. Extract as zip

  3. Convert AndroidManifest.xml in zip with AXMLPrinter2.jar AXMLPrinter2.jar

>java -jar AXMLPrinter2.jar AndroidManifest.xml > AndroidManifestConverted.xml

  1. In the \ <activity > element other than android.intent.category.LAUNCHER after conversion, Search for activities with exported = "true" or activities for which intent-filter is defined without the description of exported. I feel that it is easy to find in apps with low experience and evaluation </ font>

  2. Try calling from another app

MainActivity.kt


        val targetPackageName : String = "【target package name】"
        val targetActivityName : String = "【target activity name】"

        val intent : Intent = Intent()
        intent.setClassName( targetPackageName, targetActivityName )
        startActivity( intent )

Also possible here

adb am start -n 【target package name】/.【target activity name】

Then activity starts up normally If it is assumed that this activity is called only by a specific process of the same package,
it may skip the expected process and operate.

Summary

As for knowledge, it is written here [Android application secure design / secure coding guide] ](https://www.jssec.org/dl/android_securecoding.pdf) In fact, it's not realistic to check everything in a review, and it's realistic to use a tool because there are omissions. The amount of money you can spend on security depends on the app you make,

Recommended Posts

default value for android: exported
Default value for server.servlet.session.timeout
Build Spring for Android 2.0.0 environment
[Android] Cause and remedy for TransactionTooLargeException
Default values for MaxHeapSize and InitialHeapSize
Links for creating Android apps (for beginners)
First Android development for busy people
Library collection useful for Android development
[Android] Create validation for date input!
Notes for Android application development beginners
[Android] Procedure for supporting deep links