43

I'm looking for a solution to get rid of the warning. I don't understand even why it appears. I took a look at a SDK example where no warning appears.

At first here is my manifest where I get the warning Exported service does not require permission:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.example.android"
    android:versionCode="1"
    android:versionName="1.0" >

    <uses-sdk android:minSdkVersion="8"
              android:targetSdkVersion="15" />

    <uses-feature android:name="android.hardware.camera"
                  android:required="true" />

    <uses-permission android:name="android.permission.GET_ACCOUNTS" />
    <uses-permission android:name="android.permission.USE_CREDENTIALS" />
    <uses-permission android:name="android.permission.MANAGE_ACCOUNTS" />
    <uses-permission android:name="android.permission.AUTHENTICATE_ACCOUNTS" />
    <uses-permission android:name="android.permission.READ_SYNC_SETTINGS" />
    <uses-permission android:name="android.permission.WRITE_SYNC_SETTINGS" />

    <application
        android:icon="@drawable/ic_launcher"
        android:label="@string/app_name"
        android:theme="@style/Theme.Sherlock">
        <service
            android:name=".AuthenticationService"
            android:exported="true">
            <intent-filter>
                <action
                    android:name="android.accounts.AccountAuthenticator" />
            </intent-filter>
            <meta-data
                android:name="android.accounts.AccountAuthenticator"
                android:resource="@xml/authenticator" />
        </service>

        <activity
            android:name=".Test"
            android:label="@string/app_name" >
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.DEFAULT" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
...

While the SampleSyncAdapter of the Android SDK has this manifest:

<?xml version="1.0" encoding="utf-8"?>
<manifest
    xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.example.android.samplesync"
    android:versionCode="1"
    android:versionName="1.0">
    <uses-permission android:name="android.permission.GET_ACCOUNTS" />
    <uses-permission android:name="android.permission.USE_CREDENTIALS" />
    <!-- ... -->

    <uses-sdk android:minSdkVersion="8" android:targetSdkVersion="15" />

    <application
        android:icon="@drawable/icon"
        android:label="@string/label">
        <!-- The authenticator service -->
        <service
            android:name=".authenticator.AuthenticationService"
            android:exported="true">
            <intent-filter>
                <action
                    android:name="android.accounts.AccountAuthenticator" />
            </intent-filter>
            <meta-data
                android:name="android.accounts.AccountAuthenticator"
                android:resource="@xml/authenticator" />
        </service>
    ...

But there is no warning. Why the hell do I get a warning? Well I use the Theme.Sherlock theme for the usage of the ActionBarSherlock. But I cannot imagine that this causes the error.

rekire
  • 47,260
  • 30
  • 167
  • 264
  • 5
    The warning is telling you that you have exported (ie: made publicly available) a service without securing it with a permission. This makes your service available to any other applications without restrictions. See http://stackoverflow.com/questions/10474134/exported-service-does-not-require-permission-what-does-it-mean – David Wasser Jul 19 '12 at 10:38
  • If your service doesn't need to be available to other applications, you don't need to `export` it. Removing that will remove the warning. – David Wasser Jul 19 '12 at 10:41
  • @DavidWasser It makes no differance to remove the export attribute. By the way the example of the SDK does not define a special own permission. So far I'm confused... – rekire Jul 19 '12 at 11:19
  • 3
    The default value for `android:export` is `true` **if** you have provided an Intent filter. If your service doesn't need to be publicly available you can explicitly set `android:export="false"`. – David Wasser Jul 19 '12 at 12:56
  • Some people have suggested "clean your project". This may be another one of those typical problems with Eclipse, where it doesn't rebuild some thing because it is "dependency-challenged" – David Wasser Jul 19 '12 at 13:04
  • @DavidWasser Could you add this as answer? To set it as false workes for me. – rekire Jul 19 '12 at 13:29
  • possible duplicate of [Warning: Exported activity does not require permission](http://stackoverflow.com/questions/11333988/warning-exported-activity-does-not-require-permission) – Sergey Glotov Nov 08 '12 at 19:25

3 Answers3

72

The warning is telling you that you have exported (ie: made publicly available) a service without securing it with a permission. This makes your service available to any other applications without restrictions. See Exported service does not require permission: what does it mean?

If your service doesn't need to be available to other applications, you don't need to export it. Explicitly setting android:exported="false" will remove the warning.

Note: The default value for android:exported is true if you have provided an Intent filter.

Community
  • 1
  • 1
David Wasser
  • 93,459
  • 16
  • 209
  • 274
  • should be android:exported instead of android:export – NPike Jul 28 '12 at 20:08
  • @NPike you are so right! Thanks for catching that. I've edited my answer to correct that typo. – David Wasser Jul 29 '12 at 22:46
  • 1
    What about, conversely, if I actually wish for the exported activity or service to be available to any other application, because, for example, I am a file explorer, or a web browser? Do I just deal with the warning? – Hamid Jul 30 '12 at 13:41
  • Either you ignore the warning or you protect access to the activity or service with **permission**. Then, when another component wants to use your service or activity, it just needs to request the appropriate permission. – David Wasser Jul 30 '12 at 14:37
  • Small note, when setting it to FALSE, the APPWIDGET_DISABLED and APPWIDGET_DELETED events don't seem to get triggered, as described by GSD.Aaz here http://stackoverflow.com/questions/6814573/appwidgetprovider-problem – Morfic Oct 25 '12 at 15:09
  • 6
    then why sample `SampleSyncAdapter` doesn't have this warning ? – Alexander Malakhov May 24 '13 at 10:40
  • I've filed a [new Android bug report](https://code.google.com/p/android/issues/detail?id=224976) to fix this false warning. Services for SyncAdapter shouldn't require a permission (or the [official training guide](https://developer.android.com/training/sync-adapters/creating-authenticator.html#DeclareAuthenticator) should be updated to add `android:exported="false"`). – Vicky Chijwani Oct 11 '16 at 15:02
4

You need to add a permission requirement for your service. The one you need is android.permission.ACCOUNT_MANAGER. Your authenticator is only accessed through the manager.

Paul de Vrieze
  • 4,888
  • 1
  • 24
  • 29
1

Regarding this issue, there is already a bug created in Android project about this warning using "Sync Adapter": https://code.google.com/p/android/issues/detail?id=37280 but it's still an Open bug.

Juan Saravia
  • 7,661
  • 6
  • 29
  • 41