CWE-926: Exported Components
Overview
Android applications can export components such as activities, services, and broadcast receivers. These components can be invoked by other applications and can be used to perform malicious actions and extract, modify information without user cconsent.
Manifest Scanner Checks
Exported Activities
Description
Exported activities can be invoked by external applications without any user interaction or consent. This can allow attackers to launch activities to steal data or perform unintended actions. For example, an attacker can launch an activity to steal user credentials or launch an activity to perform a transaction without user consent.
Manifest Scanner Check
$ manifest-scanner -f /path/to/android-project -c CWE-926
Exported Services
Description
Exported services can be invoked by external applications without any user interaction or consent. This can allow attackers to launch services to steal data or perform unintended actions. For example, an attacker can launch a service to steal user credentials or launch a service to perform a transaction without user consent.
Manifest Scanner Check
$ manifest-scanner -f /path/to/android-project -c CWE-926
Exported Broadcast Receivers
Description
Exported broadcast receivers can be invoked by external applications without any user interaction or consent. This can allow attackers to launch broadcast receivers to steal data or perform unintended actions. For example, an attacker can launch a broadcast receiver to steal user credentials or launch a broadcast receiver to perform a transaction without user consent.
Manifest Scanner Check
$ manifest-scanner -f /path/to/android-project -c CWE-926
Exported Content Providers
Description
Exported content providers can be invoked by external applications without any user interaction or consent. This can allow attackers to launch content providers to steal data or perform unintended actions. For example, an attacker can launch a content provider to steal user credentials or launch a content provider to perform a transaction without user consent.
Manifest Scanner Check
$ manifest-scanner -f /path/to/android-project -c CWE-926
References
- https://developer.android.com/guide/topics/manifest/activity-element
- https://developer.android.com/guide/topics/manifest/service-element
- https://developer.android.com/guide/topics/manifest/receiver-element
- https://developer.android.com/guide/topics/manifest/provider-element
Other Resources
- https://developer.android.com/guide/components/fundamentals
- https://developer.android.com/guide/components/intents-filters
- https://developer.android.com/guide/components/activities/intro-activities
- https://developer.android.com/guide/components/services
- https://developer.android.com/guide/components/broadcasts
- https://developer.android.com/guide/topics/providers/content-provider-basics
- https://developer.android.com/guide/topics/providers/content-provider-creating