31

Good day,

In my simple Andorid app which is really just a webview app, I added android:exported="false" in Android Manifest to avoid the Exported service without permissions warning / vulnerability. However when I run it on my device it would give App is not installed error, unless I change it to android:exported="true", then the app would launch fine on my device.

I then tried to add a permission tag as follows to avoid the "Exported service without permissions" warning but the app would not run again. What would be best to have the app running correctly? I don't really need to export any service. The internet permissions is for some annotation links in my app which would open in an external browser.

Sorry if I'm missing something basic as I'm new to Android development, thanks for any pointers.

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"   
package=com.mymundane.app">
<uses-permission android:name="android.permission.INTERNET" />
<permission android:name=com.mymundane.app.mypermission" 
  android:label="mypermission" android:protectionLevel="signature">
</permission>
<application
    android:allowBackup="true"
    android:icon="@mipmap/ic_launcher"
    android:label=com.mymundane.app"
    android:roundIcon="@mipmap/ic_launcher_round"
    android:supportsRtl="true"
    android:theme="@style/AppTheme"
    android:fullBackupContent="@xml/backup_descriptor">
    <activity android:name=com.mymundane.app.MainActivity" 
        android:exported="true"  android:screenOrientation="portrait" 
         android:permission=com.mymundane.app.mypermission">
        <intent-filter>
            <action android:name="android.intent.action.MAIN" />
            <category android:name="android.intent.category.LAUNCHER" />
        </intent-filter>
    </activity>
</application>

</manifest>
Junaid Khalid
  • 811
  • 2
  • 11
  • 26
Hofuzz
  • 439
  • 1
  • 6
  • 14

3 Answers3

75

The "exported" attribute describes whether or not someone else can be allowed to use it.

So if you have "exported=false" on an Activity, no other app, or even the Android system itself, can launch it. Only you can do that, from inside your own application.

So settings "exported=false" on the Activity marked as the LAUNCHER Activity would basically tell the system that it cant launch your application, ever.

As for the error you mentioned, i don't see any services in your manifest? Where is that warning shown for you?

Moonbloom
  • 7,738
  • 3
  • 26
  • 38
  • Thank you for the quick response and clarification, it's a feedback from our client that they found "exported service without permission " as a vulnerability in our app, I'll ask them to clarify. – Hofuzz Mar 25 '18 at 00:46
  • 1
    Are you using any libraries? If so, they might include a service, which could be set to 'exported=true'. You can check that if you use the "Merged Manifest" tab in Android Studio. – Moonbloom Mar 25 '18 at 00:48
  • Thanks for the tip, checked that and it doesn't look much different than the main manifest, I'm not using any libraries, I'll ask what sort of scanner our client is using that's reporting the vulnerability. – Hofuzz Mar 25 '18 at 00:58
  • I have the same issue - also came up because of a flagged vulnerability from a static scan. As per the original question though, I would like to know what permissions, if any, need to be set here. Or is it not considered a vulnerability in the case of the launcher? Thanks in advance for clarifying. – Fuad Kamal Jan 09 '20 at 19:45
  • Android Studio gave me an encouraging 'Launch succeeded' message and even put a non-functional launch icon on my test device when I had this initially set to false in my main activity. There are recent posts directing this to be set to false for activities with intents as it now has to be set explicitly with Android 12, without mentioning it needs to be set to true for the main activity. – Androidcoder Jul 18 '21 at 13:18
  • What exactly was the point of adding something ridiculous like this which can only be set to true? – gattsbr Jan 23 '22 at 21:40
  • Perfectly clear explanation, thank you. Why can't google's docs be this easy to understand (they sort of imply this, but it's not obvious). – SMBiggs Feb 11 '22 at 18:27
  • [This answer is not true](https://developer.android.com/guide/topics/manifest/activity-element#exported) "If `false`, the activity can be launched only by components of the same application, applications with the same user ID, **or privileged system components**. This is the default value when there are no intent filters." –  Jul 13 '22 at 22:13
4

Since this is the first thing that pops up on Google when searching "android:exported = false meaning", its worth mentioning that the statement from the most upvoted answer:

So if you have "exported=false" on an Activity, no other app, or even the Android system itself, can launch it. Only you can do that, from inside your own application

is wrong.

According to the Android <activity> documentation:

If exported="false", the activity can be launched only by components of the same application, applications with the same user ID, or privileged system components. This is the default value when there are no intent filters.

The exported tag prevents a (non-system) launcher from launching the activity. However, it is wrong to state that exported="false" stops the component from being started from anything that is not the application itself. This is particularly important when it comes to system manifest broadcasts (e.g. BOOT_COMPLETED). Boot broadcast receivers will still activate even if exported="false".

0

You uploaded an APK or Android App Bundle which has an activity, activity alias, service, or broadcast receiver with intent filter, but without the 'android: exported' property set. This file can't be installed on Android 12 or higher. See: developer.android.com/about/versions/12/behavior-changes-12#exported

for better experience read the official android doc. https://developer.android.com/about/versions/12/behavior-changes-12#exported

Note: sometimes this error occurred when you are using old payUMoney SDK. so replace this with payUcheckout pro SDK then your problem is solved.

thank you.

MK Tech And Motivational
  • 11
  • 3