PTKDMobile App Security
Knowledge base / PTKD-CFG-EXPORTED
medium M8 MASVS-PLATFORM-1 static analysis PTKD-CFG-EXPORTED

Exported component without a permission guard

A component is reachable by any other app on the device and is not protected by a permission. A launcher entry point is expected to be exported and is not reported.

How it's exploited

An exported activity/service/provider without a permission is a public entry point: any installed app can launch it, feed it intents, or query it. Exported providers frequently leak whole databases; exported activities skip your login wall.

Why it matters

Other apps on the device can read data or drive flows you assumed were internal.

How to fix it

  1. Set android:exported="false" on every component that does not need external callers.
  2. Where export is required, guard it with a signature permission and validate every incoming intent extra.
  3. For providers, prefer grantUriPermissions for scoped, temporary sharing over blanket export.
Guarding a component that must stay exported
<permission android:name="com.you.PERM" android:protectionLevel="signature"/>
<provider android:name=".DataProvider"
  android:exported="true"
  android:permission="com.you.PERM" .../>

References