Search code examples
androidfluttersecuritymanifest

Non exportable MainActivity in a Flutter application

We are currently working on a Flutter mobile application and have had a recommendation by the Security Engineers that we have to make each Activity in the AndroidManifest.xml mark as not exportable:

<activity
 android:screenOrientation="landscape"
 android:configChanges="keyboard|keyboardHidden|screenSize|orientation"
 android:name=".activities.MainActivity"
 android:exported="false">
  <intent-filter>
   <action android:name="android.intent.action.MAIN" />
   <category android:name="android.intent.category.LAUNCHER" />
  </intent-filter>
</activity>

After we did this we faced different behavior on our uploaded app. After installation on all android devices the PlayStore crashed after trying to start the app. The exception is that the MainActivity is not exported. When I click on the app icon it has different results. On some devices the app starts as intended (Android 11, 12, 13) and on some devices the notification "App not installed" occurs and it wont start (seen also on Android 11/12). It had also occured on two equal devices from Samsung with different Android versions, one was working the other not. Even when the exception occurs, I am able to run the application by long tapping on the icon and go to App Info and click on start, then it runs on every device.

So the question is, am I missing something in the manifest, as far as I know I should be able to set the flag to false. But I dont find anything about this when I try to find a sample for Flutter. I know that I could set the flag to true and ignore this, but I would like to understand why I have to do this and is it just not possible for the MainActivity itself?

Solution

  • a recommendation by the Security Engineers that we have to make each Activity in the AndroidManifest.xml mark as not exportable

    Activities that need to be discovered and launched by third-party apps need to be exported. This includes any activities that are to be shown by the launcher, such as those with the <intent-filter> shown in your code. Few if any apps can have zero exported activities.

    as far as I know I should be able to set the flag to false

    That activity should be exported, with that flag set to true.