Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)

In Android apps, if  the export value of a component is explicitly marked false in the app's manifest file, the component is made private. Any application can access components that are not explicitly assigned an access permission.

 

Noncompliant Code Example

This noncompliant code example shows an application that creates a file that is world readable, and hence not secure.

...

Any application can access components that are not explicitly assigned an access permission.

Compliant Solution

In this compliant solution the export value of a component is explicitly marked false in the app's manifest file, making the component private.

Code Block
bgColor#CCCCFF
 

Risk Assessment

By not limiting access to a component intended to be private, sensitive information or capabilities could be leaked.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DRD16-J

 

Medium

 Probable 

Medium

 P8 

L2

Automated Detection

Automatic detection of the labelling of every component in the manifest as exported true or  false would be straightforward. It is not feasible to automatically determine whether the component was meant to be private or not.

Bibliography

[Android API 2013]Class Context
[Enck 09]2009Understanding Android Security 

 

 

 

...

 Image Added Image Added Image Added