Security vendor has reported a VAPT issue with my flutter app. CWE-926: Improper Export of Android Application Components. The flutter app by default has only one main-activity.
<application
android:label="MyApp"
android:icon="@mipmap/ic_launcher"
android:allowBackup="false"
android:fullBackupContent="false">
<activity
android:name=".MainActivity"
android:launchMode="singleTop"
android:theme="@style/LaunchTheme"
android:configChanges="orientation|keyboardHidden|keyboard|screenSize|locale|layoutDirection|fontScale|screenLayout|density|uiMode"
android:hardwareAccelerated="true"
android:windowSoftInputMode="adjustResize">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
<meta-data
android:name="flutterEmbedding"
android:value="2" />
</application>
There are 2 recommendations to fix this issue as per CWE page
- Add
android:exportable="false"
The main activity is exportable. If I add android:exportable="false" to the main activity, I am not able to run the app. it ends with error, when I try to run it on emulator.
- Use
android:protectionLevel="signature"
I am new to android development. I tried to create new permission and use it for application, but again getting error as permission denied.
I am clueless as to how to solve this issue? As I understand, MainActivity has to be exportable. So not sure how to solve this.
