Exported Android components can be interacted with by other apps on the device. In order to safely instantiate these components, android:exported must be explicitly set. An Android component can be marked as exported by explicitly setting android:exported="true" in the manifest.
Exported application components that are not restricted using permissions can be launched/started by other applications and can leak sensitive data.
Attacker applications can also leverage the exported component to modify the internal state of the victim application or phish the user.
Android Apps which do not explicitly set this will NOT be able to install to Android 12 devices.
Steps to Reproduce
The AndroidManifest.xml is checked for activities, services, or broadcast receivers which do not explicitly declare android:exported.
Business Impact
This flaw exposes the app to other applications stealing data from users, and apps which do not explicitly set this value called out will NOT be able to install to Android 12 devices meaning that your users may not be able to install the app on newer devices.
Remediation Resources
For any activities, services, or broadcast receivers in the app, ensure that android:exported is explicitly declared.
Finding Description
Exported Android components can be interacted with by other apps on the device. In order to safely instantiate these components, android:exported must be explicitly set. An Android component can be marked as exported by explicitly setting android:exported="true" in the manifest. Exported application components that are not restricted using permissions can be launched/started by other applications and can leak sensitive data. Attacker applications can also leverage the exported component to modify the internal state of the victim application or phish the user. Android Apps which do not explicitly set this will NOT be able to install to Android 12 devices.
Steps to Reproduce
The AndroidManifest.xml is checked for activities, services, or broadcast receivers which do not explicitly declare android:exported.
Business Impact
This flaw exposes the app to other applications stealing data from users, and apps which do not explicitly set this value called out will NOT be able to install to Android 12 devices meaning that your users may not be able to install the app on newer devices.
Remediation Resources
For any activities, services, or broadcast receivers in the app, ensure that android:exported is explicitly declared.
Risk and Regulatory Information
Severity: high CVSS: 7.6
Application
See more detail in the NowSecure Report