The program does not explicitly set the exported
attribute on a component.
Some components should always be private by not allowing other applications to access them. The release of v0.9r1 Android SDK introduced the notion of private components. There are two ways to decide whether the component is private. One way is to rely on the framework that follows certain inference rules. Another is to explicitly define the exported
attribute on the component.
Example 1: Below is an example of an activity declared without explicitly setting the exported
attribute.
<activity android:name="AndroidActivity"/>
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration
[3] Standards Mapping - FIPS200 - (FISMA) AC
[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 265
[5] Jesse Burns Developing Secure Mobile Applications for Android
[6] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Improper Access Control - CWE ID 285
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.10
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 7.1.1
[9] The AndroidManifest.xml File
[10] William Enck, Machigar Ongtang, and Patrick McDaniel Understanding Android Security
[11] William Enck and Patrick McDaniel Understanding Android's Security Framework
[12] Using Permissions