Over-Exported Components

Description

Android Activities, Services, and Broadcast Receivers that are exported unintentionally can be invoked by any app. If these components perform privileged actions or trust caller‑supplied data, attackers can trigger sensitive flows without user interaction.

Examples

Enumerate and Launch Exported Activities

adb shell dumpsys package com.example.app | rg -n "exported=true"
adb shell am start -n com.example.app/.SensitiveActivity

If the activity launches and performs a privileged action without authorization, it is exploitable.

Broadcast Injection

adb shell am broadcast -a com.example.app.SECRET_ACTION --es cmd "wipe"

If an exported receiver accepts the broadcast and acts on it, caller validation is missing.

Remediation

Default‑deny exporting
- Set android:exported="false"; only export when necessary and require signature‑level permissions.
Validate and authorize
- Verify caller identity; validate Intent extras; enforce in‑app authorization checks for sensitive actions.
Automate checks
- Lint manifests in CI; block builds when exported components change without review.

Haxoris Wiki

Over-Exported Components

Description

Examples

Enumerate and Launch Exported Activities

Broadcast Injection

Remediation