This question already has answers here:
How to address android lint complaint about exported Firebase Messaging service implementations?
(2 answers)
Closed 10 months ago.
I developed an android app with fcm implementation. After completion I done the app vulnerability testing and got the below result.
(com.app.MyFirebaseMessagingService) is not Protected. An
intent-filter exists.
high
A Service is found to be shared with other apps on the device
therefore leaving it accessible to any other application on the
device. The presence of intent-filter indicates that the Service is
explicitly exported.
Same result I got for the service MyFirebaseInstanceIDService. Below is my Manifest file code.
<service android:name="com.app.MyFirebaseMessagingService">
<intent-filter>
<action android:name="com.google.firebase.MESSAGING_EVENT" />
</intent-filter>
</service>
<service android:name="com.app.MyFirebaseInstanceIDService">
<intent-filter>
<action android:name="com.google.firebase.INSTANCE_ID_EVENT" />
</intent-filter>
</service>
Usually we will add a custom permission to protect a service from get accessed by other application. But how to do that for FCM service? or any other solution for this problem? Please help.
you don't have to worry about firebase take care of the security side link
FirebaseInstanceIdService performs security checks at runtime,
no need for explicit permissions despite exported="true"
Related
I am making an AccessibilityService to get package name of app where click events are registered. In my manifest do I need to ask for permission for
<uses-permission android:name="android.permission.BIND_ACCESSIBILITY_SERVICE" />
or inside the service tag, like this :
<service
android:name=".ListenToEvents"
android:permission="android.permission.BIND_ACCESSIBILITY_SERVICE">
<intent-filter>
<action android:name="android.accessibilityservice.AccessibilityService" />
</intent-filter>
<meta-data
android:name="android.accessibilityservice"
android:resource="#xml/accessibility_service_config" />
</service>
I am guessing I don't need both but if I ask for permission outside the services tag in uses permission the ide tells me this permission will make my app a system app. when the permission is inside the service tag, however, it doesn't raise any such warning.
I do enable the settings for the app after installing. The callback on events is not being called.
first of all I would like to know if my app is a system app which needs to be installed in the system partition of the android phone. any further help will be greatly appreciated. I have already looked at two projects on GitHub but they are too big to sort out the pertinent code. so please help with the code necessary to do the basic task, of lets say listening to a tap event.
thanks
When you are building your own Accessibility Service, when you execute the app, the service will become present in Settings->Accessibility under 'Services' section. You can then turn on your service and run it on any app you want. Regarding developing an accessibility service, refer to the following,
https://codelabs.developers.google.com/codelabs/developing-android-a11y-service/#2
https://developer.android.com/guide/topics/ui/accessibility/service
For listening to clicks, I suggest going through 'Configuring the scroll button' section of Codelabs and using ACTION_CLICK instead of ACTION_SCROLL_FORWARD
To clarify about BIND_ACCESSIBILITY_SERVICE. You expose that permission in the service to guarantee that only the system can bind to your service. Only the system may use that permission.
In my Android application in manifest file i have following receiver and service declaration:
<receiver
android:name="com.google.android.gms.analytics.AnalyticsReceiver"
android:enabled="true">
<intent-filter>
<action android:name="com.google.android.gms.analytics.ANALYTICS_DISPATCH" />
</intent-filter>
</receiver>
<service
android:name="com.google.android.gms.analytics.AnalyticsService"
android:enabled="true"
android:exported="false" />
To be honest it's quite old app and I don't remember why I've put that there. It was probably taken from Google Analytics docs. But now I can't find any up-to-date information about it.
What is more Android Studio shows me warning with that receiver:
Receiver does not require permission
Exported receivers (receivers
which either set exported=true or contain an intent-filter and do not
specify exported=false) should define a permission that an entity must
have in order to launch the receiver or bind to it. Without this, any
application can use this receiver.
Do I really need that receiver and service in my code? What is this responsible for? Is it still actual?
If you are using the latest version of Google Analytics, no, you do not need to manually specify the service and receiver in your manifest file.
Here is the Google Analytics getting start guide for Android. Note that if you are upgrading from a significantly older version, you may have additional work to perform elsewhere to upgrade. You should read through the entire guide to ensure that your app is still configured properly.
At least on a device running Android Jelly Bean (4.2.2) the push notifications are only received if the app is running. I think I'm doing everything right, that is, Im calling Parse.initialize on an Application class (which is referenced on my application tag on the manifest) and I have Parse's PushService and My custom Parse's Push Broadcast Receiver declared on the manifest just like this:
<service android:name="com.parse.PushService" />
<receiver android:name=".ParseCustomPushBroadcastReceiver"
android:exported="false">
<intent-filter>
<action android:name="com.push.intent.RECEIVE" />
<action android:name="com.push.intent.DELETE" />
<action android:name="com.push.intent.OPEN" />
<action android:name="android.intent.action.BOOT_COMPLETED" />
<action android:name="android.intent.action.USER_PRESENT" />
</intent-filter>
</receiver>
I didnt force quit my app or anything else, for the matter.
I would like my app to always receive push notifications even when is not running, much alike what happens with popular apps such as WhatsApp, Facebook, Skype, etc.
I know I'm not the first one experiencing this problem because I've seen countless posts on several forums of people complaining of Parse push notifications not being received when the app is not running, but none of the answers to those posts offer a workaround...
So, can anyone explain why this even happens?? Is it an Android bug? Is it because Parse's PushService is not sticky? If yes, then, should not it be sticky???
And if possible, please, suggest a workaround for this problem! :)
Thanks!
Fellow Developers!
I have a sync adapter in my app and a corresponding sync service. I have declared everything, including the sync service, according to Google example code. The greater picture looks something like this:
<service
android:name="com.myapp.SyncService"
android:exported="true"
android:process=":sync">
<intent-filter>
<action
android:name="android.content.SyncAdapter"/>
</intent-filter>
<meta-data
android:name="android.content.SyncAdapter"
android:resource="#xml/syncadapter" />
</service>
While it makes sense to set the android:exported attribute to true on the service (enabling the Android system to reach it), I'm a bit puzzled on how to tie it down in terms of access rights. I don't want anyone else but my app and the Android system to have access to the service.
Maybe a bit naively I have created my own permission for this:
<permission
android:name="com.myapp.permission.SYNC_ADAPTER"
android:protectionLevel="signatureOrSystem" />
But reading up a bit on the protectionLevel makes me wonder even more. Google says:
Please avoid using this option [...] "signatureOrSystem" permission is used for certain special situations where multiple vendors have applications built into a system image and need to share specific features explicitly because they are being built together.
The described scenario is far from my use case. The question then remains:
How do I secure my sync service so that the Android system, but no third party apps, can access it?
Any clarification would be greatly appreciated!
beworker is quite right. I have used signature permission and the system is able to sync without any trouble.
It doesn't look like there is a SyncAdapter permission. I'm guessing that we can safely ignore the error. See the bug filed here: https://code.google.com/p/android/issues/detail?id=37280
I have the same problem. Looking at this example source code here as a guide https://android.googlesource.com/platform/packages/apps/Exchange/+/ics-mr0/AndroidManifest.xml it seems to be that the sync adapters have plainly exported="true" without any permissions.
The 'signature' protection level should be sufficient for your use case, which grants access to the system package. 'signatureOrSystem' also grants access to apps built into the system image.
Source code: see grantSignaturePermission() method
https://android.googlesource.com/platform/frameworks/base/+/a029ea1/services/java/com/android/server/pm/PackageManagerService.java
You can safely set exported=false for both services
one service registering to the SyncAdapter
one service registering to the AccountAuthenticator intents
The system can still call the SyncAdapter Service via intents.
The reason why this works is mentioned in the official exported guide
If false, the activity can be launched ... [by] privileged system components.
I.e. you don't need to struggle with exported=true.
tested on Android 10 (Emulator with targetVersion: 30)
tested on Android 13 (with targetVersion: 31)
Old answer
The following is (for me) irrelevant as the above works.
I interpreted the replies in this thread this way:
Requesting this permission (see example) in an exported service (see below) should only allow apps signed with your signature - and the system - to call this service.
If you use exported=false then the system cannot call your service, i.e. Synchronization won't start if your app is closed(?)
<permission
android:name="com.myapp.USE_SYNC_AND_AUTHENTICATOR"
android:protectionLevel="signature" />
<application>
<!-- Export sync and auth to allow the Android System to call them. -->
<!-- Protect it using a signature permission. -->
<service
android:name="com.myapp.SyncService"
android:exported="true"
android:process=":sync"
android:permission="com.myapp.USE_SYNC_AND_AUTHENTICATOR">
<intent-filter>
<action android:name="android.content.SyncAdapter" />
</intent-filter>
<meta-data
android:name="android.content.SyncAdapter"
android:resource="#xml/sync_adapter" />
</service>
<service>..authenticator..</service>
</application>
I created a service that is bound by other applications through AIDL, and I add it to the manifest as follows:
<service android:name=".MyService">
<intent-filter>
<action android:name="org.example.android.myservicedemo.IService" />
</intent-filter>
</service>
where IService is the AIDL interface.
In this way, Eclipse show me the warning Exported service does not require permission. If I remove the intent-filter, the warning disappear, but obviously the applications are unable to bind to the service.
What does this warning mean?
I had the same issue when I updated SDK to version 20. I removed it adding android:exported property android:exported="false" like so:
<service android:name=".MyService"
android:exported="false">
<intent-filter>
<action android:name="org.example.android.myservicedemo.IService" />
</intent-filter>
</service>
See this doc
If you want to restrict you activity usage to your own application, then you should add exported=false to your activity's manifest statement.
If you want to allow other applications to use it (explicitly through its class name or, better, by using an intent with a data type or action) then you have two choices :
restrict those applications by using a permission
allow all applications to use it, then you can add tools:ignore="ExportedActivity" to your activity's manifest statement.
--
Same reasonning applies to a service, with tools:ignore="ExportedService" and content providers with tools:ignore="ExportedContentProvider".
As Jens said, "It means that other (arbitrary) applications the user has on his phone can bind to your Service and call whatever method they please that is exposed through your AIDL interface."