Receiving Data With Activity causes Restrict access to exported components with appropriate permissions

The following activity is flagged for Major vulnerability “Restrict access to exported components with appropriate permissions”

        <activity
            android:name="com.MyShareActivity"
            android:theme="@android:style/Theme.Translucent.NoTitleBar"
            android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.SEND" />
                <action android:name="android.intent.action.SEND_MULTIPLE" />
                <category android:name="android.intent.category.DEFAULT" />
                <data android:mimeType="*/*" />
            </intent-filter>
        </activity>

If I added a custom permission, my app will not show up on Android ShareSheet. I tried both “normal” and “dangerous”.

Removing android:exported will cause a warning from Android Studio and it recommends to add this attribute.

Is this a false positive by SonarQube?

Hello @Swen_Dev,

Welcome to the SonarQube/SonarCloud community!

You are perfectly right that there is a problem with the implementation of the rule S5594 which should not raise an issue in your context.

Your activity must be android:exported=true in order to show-up in the Android Sharesheet and no extra permission should be configured.

Here is the ticket created to fix the problem: SONARXML-142.

BTW, while reading the Android documentation to prepare the ticket, I noticed that:

You can receive a MIME type of */* , but this is highly discouraged unless you are fully capable of handling any type of incoming content.

Regards
Alex

Hello Alex,

Thank you for the quick response and we will take a look at your findings on MIME Type as well.

Cheers,

Suryadi

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.