android:exported
Stay organized with collections
Save and categorize content based on your preferences.
OWASP category: MASVS-PLATFORM: Platform Interaction
Overview
The android:exported attribute sets whether a component (activity, service, broadcast receiver, etc.) can be launched by components of other applications:
- If
true, any app can access the activity and launch it by its exact class name.
- If
false, only components of the same application, applications with the same user ID, or privileged system components can launch the activity.
The logic behind the default value of this attribute changed over time and was different depending on the component types and Android versions. For example, on API level 16 (Android 4.1.1) or lower the value for <provider> elements is set to true by default. Not setting this attribute explicitly carries the risk of having different default values between some devices.
Impact
The situation with different default values means you could accidentally expose internal application components. A few examples of the consequences could be the following:
Denial of service attacks.
Other apps inappropriately accessing internal components to modify your app’s internal functionality.
Leaking of sensitive data.
Code execution in the context of the vulnerable application.
Mitigations
Always explicitly set the android:exported attribute. This will leave no room for interpretation and clearly signal your intention with regard to a component’s visibility.
Recommended for you
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2024-09-24 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-09-24 UTC."],[],[],null,["# android:exported\n\n\u003cbr /\u003e\n\n**OWASP category:** [MASVS-PLATFORM: Platform Interaction](https://mas.owasp.org/MASVS/09-MASVS-PLATFORM)\n\nOverview\n--------\n\nThe `android:exported` [attribute](/guide/topics/manifest/activity-element#exported) sets whether a component (activity, service, broadcast receiver, etc.) can be launched by components of other applications:\n\n- If `true`, any app can access the activity and launch it by its exact class name.\n- If `false`, only components of the same application, applications with the same user ID, or privileged system components can launch the activity.\n\nThe logic behind the default value of this attribute changed over time and was different depending on the component types and Android versions. For example, on API level 16 (Android 4.1.1) or lower the value for `\u003cprovider\u003e` elements is set to `true` by default. Not setting this attribute explicitly carries the risk of having different default values between some devices.\n\nImpact\n------\n\nThe situation with different default values means you could accidentally expose internal application components. A few examples of the consequences could be the following:\n\nDenial of service attacks.\nOther apps inappropriately accessing internal components to modify your app's internal functionality.\nLeaking of sensitive data.\nCode execution in the context of the vulnerable application.\n\nMitigations\n-----------\n\nAlways explicitly set the `android:exported` attribute. This will leave no room for interpretation and clearly signal your intention with regard to a component's visibility.\n\nRecommended for you\n-------------------\n\n- Note: link text is displayed when JavaScript is off\n- [# Key management {:#key-management}](/topic/security/data)\n- [Run embedded DEX code directly from APK](/topic/security/dex)\n- [Tapjacking](/topic/security/risks/tapjacking)"]]
