Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Exported content providers can provide access to potentially sensitive data

I'm using ContentProvider in my android application to share the database between the application. For sharing the database I need to add the provider access in AndroidManifest.xml like as follows:

<provider
android:name="Contentprovider"
android:authorities="umb.con.apps.vid" />

I added and implemented successfully but the warning message showing in the <provider/> tag like this "Exported content providers can provide access to potentially sensitive data". Will it cause any security problem in future?

like image 956
Rajesh Rajaram Avatar asked Nov 19 '12 06:11

Rajesh Rajaram


People also ask

How do content providers access data?

When you want to access data in a content provider, you use the ContentResolver object in your application's Context to communicate with the provider as a client. The ContentResolver object communicates with the provider object, an instance of a class that implements ContentProvider .

What is exported in Android manifest?

The exported attribute is used to define if an activity, service, or receiver in your app is accessible and can be launched from an external application. As a practical example, if you try to share a file you'll see a set of applications available.

Why does the content provider need to be declared in the Android manifest?

A content provider is a subclass of ContentProvider that supplies structured access to data managed by the application. All content providers in your application must be defined in a <provider> element in the manifest file; otherwise, the system is unaware of them and doesn't run them.


2 Answers

If you just want the content provider to be accessed internally from within your app, simply add

android:exported="false"

into the node in the manifest.

From the doc:

false: The provider is not available to other applications. Set android:exported="false" to limit access to the provider to your applications. Only applications that have the same user ID (UID) as the provider will have access to it.

If, on the other hand, you really want to expose your data to other apps but you also have sensitive data in your data storage, remember that you can have more than one content provider and thus expose just the "public" one.

like image 144
fedepaol Avatar answered Oct 13 '22 18:10

fedepaol


Also if you are sure that you want to allow external access to your content provider and silence the warning add tools:ignore="ExportedContentProvider"

e.g.

<provider
tools:ignore="ExportedContentProvider"
android:exported="true"
android:name="Contentprovider"
android:authorities="umb.con.apps.vid" />
like image 37
plaisthos Avatar answered Oct 13 '22 19:10

plaisthos