I need to expose a module of my app to more than one app. Since, I did not specify any permission or expose attribute of the activity.
<activity
android:name=".MainActivity"
android:label="@string/app_name"
android:theme="@style/Theme.Transparent">
</activity>
With this, I can able to launch the application and i can able to do activity from other application too by calling intent.
But, When I integrate with SonarQube, its showing vulnerability and stating below issue.
Implement permissions on this exported component.
To fix this issue, I have tried following method.
In my app, I have defined the permission
<permission android:name="com.myApp.NORMAL_PERMISSION"
android:description="@string/perm_desc_NORMAL_PERMISSION"
android:label="@string/perm_label_NORMAL_PERMISSION"
android:protectionLevel="normal" />
and I refer this permission to my activity as below.
<activity
android:name=".MainActivity"
android:label="@string/app_name"
android:permission="com.myApp.NORMAL_PERMISSION"
android:theme="@style/Theme.Transparent">
But, I cannot able to do any action from other app by calling intent. But, vulnerability has been fixed.
If I add the below field to activity still its listed under vulnerability android:exported= "true"
if its android:exported= "false", vulnerability removed but app completely is not working
Let me know any other method to fix this vulnerability.
In my main activity which hash intent-filter action android.intent.action.MAIN and category android.intent.category.LAUNCHER.
Its intended to be launched from other applications without any special permissions.
So, its require no permission.
<activity
. . .
android:exported="true"
android:permission="" >
That being said defining the permission as empty string resolves the issues and explicitly shows your intent that there are no permissions needed to launch this activity.