SonarQube rules regarding exported interfaces in Android

SonarQube Server / Community Build
1

Dear Community,
I have a generic question regarding SonarQube, related to Android.
I know that if in an Android Project, someone is exporting an interface (to be seen via the Android Manifest file) and does not ship this exported interface with a permission, this is reported by SonarQube as a security violation - and that is correct.

My question now is:
How are activities handled? Activities are also exported interfaces. What is your opinion? Should Activities also be protected with a permission? Should SonarQube report this as an violation if a dev-team is forgetting this? Or should the rules add an “ignore” on this case if the finding is regarding some activity?

What is your opinion?

Kind regards,
Franklin

4

Hi Franklin,
Welcome to our community and thank you very much for your post!

Our rule about exporting components of an Android app is be S5594.
This rule covers the following components:

  • Providers
  • Activities
  • Activity-aliases
  • Services

So, in general, Activities should be protected just like Providers.
Of course, there can be exceptions for Activities that do not access sensitive data and that can be exported securely.

I hope I was able to help.

Best regards,
Daniel

1 Like