Exported service does not require permission

Exported service does not require permission

This is a warning.

Id

ExportedService

Summary

Exported service does not require permission

Severity

Warning

Category

Security

Platform

Android

Vendor

Android Open Source Project

Feedback

https://issuetracker.google.com/issues/new?component=192708

Since

Initial

Affects

Manifest files

Editing

This check runs on the fly in the IDE editor

See

https://goo.gle/ExportedService

Implementation

Source Code

Tests

Source Code

Copyright Year

2011

Exported services (services which either set exported=true or contain an intent-filter and do not specify exported=false) should define a permission that an entity must have in order to launch the service or bind to it. Without this, any application can use this service.

This lint check has an associated quickfix available in the IDE.

Example

Here is an example of lint warnings produced by this check:

AndroidManifest.xml:12:Warning: Exported service does not require
permission [ExportedService]
    <service
     -------

Here are the relevant source files:

AndroidManifest.xml:

<?xml version="1.0" encoding="utf-8"?> <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="foo.bar2" android:versionCode="1" android:versionName="1.0" > <uses-sdk android:minSdkVersion="14" /> <application android:icon="@drawable/ic_launcher" android:label="@string/app_name" > <service android:exported="true" android:label="@string/app_name" android:name="com.sample.service.serviceClass" android:process=":remote" > <intent-filter > <action android:name="com.sample.service.serviceClass" > </action> </intent-filter> </service> </application> </manifest>

res/values/strings.xml:

<?xml version="1.0" encoding="utf-8"?> <!-- Copyright (C) 2007 The Android Open Source Project Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <resources> <!-- Home --> <string name="home_title">Home Sample</string> <string name="show_all_apps">All</string> <!-- Home Menus --> <string name="menu_wallpaper">Wallpaper</string> <string name="menu_search">Search</string> <string name="menu_settings">Settings</string> <string name="sample" translatable="false">Ignore Me</string> <!-- Wallpaper --> <string name="wallpaper_instructions">Tap picture to set portrait wallpaper</string> </resources>

You can also visit the source code for the unit tests for this check to see additional scenarios.

The above example was automatically extracted from the first unit test found for this lint check, SecurityDetector.testBroken. To report a problem with this extracted sample, visit https://issuetracker.google.com/issues/new?component=192708.

Suppressing

You can suppress false positives using one of the following mechanisms:

formatted by Markdeep 1.18