Receiving Data With Activity causes Restrict access to exported components with appropriate permissions

The following activity is flagged for Major vulnerability “Restrict access to exported components with appropriate permissions”

                <action android:name="android.intent.action.SEND" />
                <action android:name="android.intent.action.SEND_MULTIPLE" />
                <category android:name="android.intent.category.DEFAULT" />
                <data android:mimeType="*/*" />

If I added a custom permission, my app will not show up on Android ShareSheet. I tried both “normal” and “dangerous”.

Removing android:exported will cause a warning from Android Studio and it recommends to add this attribute.

Is this a false positive by SonarQube?

Hello @Swen_Dev,

Welcome to the SonarQube/SonarCloud community!

You are perfectly right that there is a problem with the implementation of the rule S5594 which should not raise an issue in your context.

Your activity must be android:exported=true in order to show-up in the Android Sharesheet and no extra permission should be configured.

Here is the ticket created to fix the problem: SONARXML-142.

BTW, while reading the Android documentation to prepare the ticket, I noticed that:

You can receive a MIME type of */* , but this is highly discouraged unless you are fully capable of handling any type of incoming content.


Hello Alex,

Thank you for the quick response and we will take a look at your findings on MIME Type as well.



This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.