PreferenceActivity should not be exported

PreferenceActivity should not be exported

This is a warning.

Id

ExportedPreferenceActivity

Summary

PreferenceActivity should not be exported

Severity

Warning

Category

Security

Platform

Android

Vendor

Android Open Source Project

Feedback

https://issuetracker.google.com/issues/new?component=192708

Since

Initial

Affects

Kotlin and Java files and manifest files

Editing

This check runs on the fly in the IDE editor

See

http://securityintelligence.com/new-vulnerability-android-framework-fragment-injection

See

https://goo.gle/ExportedPreferenceActivity

Implementation

Source Code

Tests

Source Code

Copyright Year

2014

Fragment injection gives anyone who can send your PreferenceActivity an intent the ability to load any fragment, with any arguments, in your process.

Example

Here is an example of lint warnings produced by this check:

AndroidManifest.xml:28:Warning: PreferenceActivity should not be
exported [ExportedPreferenceActivity]
    <activity
    ^

Here is the source file referenced above:

AndroidManifest.xml:

<?xml version="1.0" encoding="utf-8"?> <!-- ~ Copyright (C) 2014 The Android Open Source Project ~ ~ Licensed under the Apache License, Version 2.0 (the "License"); ~ you may not use this file except in compliance with the License. ~ You may obtain a copy of the License at ~ ~ http://www.apache.org/licenses/LICENSE-2.0 ~ ~ Unless required by applicable law or agreed to in writing, software ~ distributed under the License is distributed on an "AS IS" BASIS, ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ~ See the License for the specific language governing permissions and ~ limitations under the License. --> <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="test.bytecode" android:versionCode="1" android:versionName="1.0" > <uses-sdk android:minSdkVersion="10" /> <application android:icon="@drawable/ic_launcher" android:label="@string/app_name" > <activity android:name="android.preference.PreferenceActivity" android:label="@string/app_name" > <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> </activity> </application> </manifest>

You can also visit the source code for the unit tests for this check to see additional scenarios.

The above example was automatically extracted from the first unit test found for this lint check, PreferenceActivityDetector.testWarningWhenImplicitlyExportingPreferenceActivity. To report a problem with this extracted sample, visit https://issuetracker.google.com/issues/new?component=192708.

Suppressing

You can suppress false positives using one of the following mechanisms:

formatted by Markdeep 1.18