android:exported Properties

Yesterday in the use of 360 scan application vulnerability, scan results, come out a android:exported property, actually did not know this property, but do not know what this property to do, see the details:

So, check out the official API, learn this attribute!

Android:exported is one of the four components of Android Activity,service,provider,receiver a property in all four components.

Overall its main role is to support other applications to invoke the current component.
Default value: False if the Intent-filter default value is included; No Intent-filter default value is true.

Here's a detailed look at this attribute in the four components:

1, first look: activity in:

<activity          ……          android:exported=["true"| "false"]          ……/>

The meaning is as follows:

In activity, this attribute is used to indicate whether the current activity can be started by another application component: True allows it to be started, and false does not allow it to be started.

If set to False, then the activity will only be called by the current application or application component with the same user ID.

The default value of exported is determined by whether the activity has intent filter. No filter means that the activity can be awakened only after describing his class name in detail. This means that the activity can only be used inside the app, because other application don't know the existence of the class. So in this case, its default value is False. On the other hand, if there is at least one filter in the activity, it means that the activity can be aroused externally by other applications, at which time its default value is true.

In fact, this property is not the only one that specifies whether activity is exposed to other applications, or you can use permission to restrict external entities from waking the current activity (see Permission properties for details)

2. Service:

<service android:enabled=["true"| "false"]         android:exported=["true"| "false"]         android:icon="drawable resource"         android:isolatedProcess=["true"| "false"]         android:label="string resource"         android:name="string"         android:permission="string"         android:process="string" >    . . .</service>

The meaning is as follows:
This property is used to indicate whether the other application's components can wake the service or interact with the service: true, false not. If False, only the component of the same application or an application with the same user ID can start the service or bind the service.

The default value depends on whether the current service has intent filter. If no filter is present, the current service is awakened only after the class name is described in detail. This means that the current service can only be used internally within the app (because other apps do not know the class name). So in this case it's default value is False. On the other hand, if there is at least one filter then it means that the service can be used by external applications, in which case the default value is true.

In fact, not only this property can specify whether the service is exposed to other applications. You can also use permission to restrict external entities from waking the current service (see Permission properties for details)

3. In provider:

<provider android:authorities="List"android:enabled=["true" | "False"]android:exported=["true" | "False"]android:granturipermissions=["true" | "False"]android:icon="drawable resource"Android:initorder="integer"Android:label="string resource"android:multiprocess=["true" | "False"]Android:name="string"android:permission="string"android:writepermission="string">: .</provider>

The meaning is as follows:
Whether the current content provider will be used by another app:
True: The current provider can be used by other applications. Any app can use provider to get it through a URI, or you can use provider with the appropriate permissions.

False: The current provider cannot be used by another application. Set android:exported= "false" to restrict other apps from getting your app's provider. Only apps with the same user ID can get the provider of the current app.

When the minimum version of the Android SDK is 16 or lower, his default value is true. If the version is 17 and above the default value is False.

You can restrict whether the current app provider will be fetched by other apps by android:exported= "Fasle" and permission.

4. Receiver:

<receiver android:enabled=["true"| "false"]          android:exported=["true"| "false"]          android:icon="drawable resource"          android:label="string resource"          android:name="string"          android:permission="string"          android:process="string" >    . . .</receiver>

The meaning is as follows:
Whether the current broadcast receiver can obtain receiver message from the outside of the current application. True, yes; false not. If False, the current broadcast Receiver can only receive the same app or have the same user ID app to issue the broadcast.

The default value depends on whether the current broadcast Receiver contains intent filter. If there is no filter, it means that it will only be recalled if it is described in detail in the class name. This means that the current receiver can only be used within the application (because other applications do not know the existence of this class.) In this case, the default value is False. If at least one filter is included means that the current broadcast Receiver will receive broadcasts from the system or other applications, the default value is true at this time.

Not only this property can specify whether broadcast Receiver is exposed to other applications. You can also use permission to restrict external apps from sending messages to him.

The two concepts mentioned above: User ID and permission found two good articles online:
1. Permission detection and UID mechanism in startactivity in Android
2. Android Permission mechanism

android:exported Properties