Android 应用安全测试失败! ...说,组件不受保护。存在意图过滤器
Android app security test failed! ... Saying, component is not Protected. An intent-filter exists
我们的客户报告了一些 Activity 和 BroadcastReceiver 的安全问题。
安全测试结果在说
(com.****.*****.Activity / BroadcastReceiver) is
not Protected.
An intent-filter exists.
Thing which is common is that all contains intent-filter
请建议我该怎么做?
您可以为 manifest 中的 activity 设置 android:exported="false":
android:exported :
This element sets whether the activity can be
launched by components of other applications — "true" if it can be,
and "false" if not. If "false", the activity can be launched only by
components of the same application or applications with the same user
ID. If you are using intent filters, you should not set this element
"false". If you do so, and an app tries to call the activity, system
throws an ActivityNotFoundException. Instead, you should prevent other
apps from calling the activity by not setting intent filters for it.
If you do not have intent filters, the default value for this element
is "false". If you set the element "true", the activity is accessible
to any app that knows its exact class name, but does not resolve when
the system tries to match an implicit intent.
This attribute is not the only way to limit an activity's exposure to
other applications. You can also use a permission to limit the
external entities that can invoke the activity (see the permission
attribute).
<activity
android:name=".activities.YourActivity"
android:exported="false" />
您可以对 BroadcastReceiver 执行相同的操作。
我们的客户报告了一些 Activity 和 BroadcastReceiver 的安全问题。
安全测试结果在说
(com.****.*****.Activity / BroadcastReceiver) is
not Protected.
An intent-filter exists.
Thing which is common is that all contains intent-filter
请建议我该怎么做?
您可以为 manifest 中的 activity 设置 android:exported="false":
android:exported : This element sets whether the activity can be launched by components of other applications — "true" if it can be, and "false" if not. If "false", the activity can be launched only by components of the same application or applications with the same user ID. If you are using intent filters, you should not set this element "false". If you do so, and an app tries to call the activity, system throws an ActivityNotFoundException. Instead, you should prevent other apps from calling the activity by not setting intent filters for it.
If you do not have intent filters, the default value for this element is "false". If you set the element "true", the activity is accessible to any app that knows its exact class name, but does not resolve when the system tries to match an implicit intent.
This attribute is not the only way to limit an activity's exposure to other applications. You can also use a permission to limit the external entities that can invoke the activity (see the permission attribute).
<activity
android:name=".activities.YourActivity"
android:exported="false" />
您可以对 BroadcastReceiver 执行相同的操作。