On Wed, May 16, 2012 at 9:58 AM, Mark Murphy <[email protected]> wrote: > On Wed, May 16, 2012 at 9:39 AM, Kristopher Micinski > <[email protected]> wrote: >>> 2) Not every intent is supposed to be public >> >> I don't think these are hard to figure out statically, though, so you >> can just throw those out. > > In theory, yes. > > A <receiver> for a non-public broadcast Intent, for example, should > have android:exported="false", just as a <provider> for an > internal-use-only ContentProvider should have > android:exported="false", and an <activity> or <service> with an > <intent-filter> but, for whatever reason, is still internal-use-only, > should have android:exported="false". > > In practice, I am willing to bet a substantial sum of money that there > are tens of thousands of apps on the Play Store that violate those > rules. In effect, they are exposing a public API without intending to > support such behavior. This is particularly true with <provider>, > since the default behavior is for it to be exported (vs. everything > else needing an <intent-filter> to be exported by default). Just > assuming that "if it's exported, everyone should use it" is an invalid > assumption, IMHO. >
I'm not saying that this should be *easy* to do, or that you should always use intents exported by other developers. But I am saying that, with minimal annotation from a smart developer, this is much easier to determine statically than what the intent "does." I also agree with you: and these are typically situations where confused deputy attacks abound... I had some scripts that mined the market to determine places where apps had intents "open," and saw a number of these cases, though I didn't have anything smart behind it to determine if those actually led to places that could introduce errors. > Also, AFAICT, a BroadcastReceiver registered via registerReceiver() is > always exported, insofar as you cannot put something in the > registerRecevier() call or IntentFilter to say "please, I only want > local broadcasts". On the plus side, with LocalBroadcastManager, we > can start moving away from using registerReceiver() for purely private > stuff. > Right. Kris -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
