Is there a way to keep meta-data in the Android manifest private to the package?

Question

I want to use meta-data in the Android manifest to customize the behavior of a service.

<service
    android:name=".SampleService"
    android:exported="false">
    <meta-data
        android:name="sampleName"
        android:resource="@string/sampleValue" />
</service>

My service is part of a library, and it is possible some may put sensitive data into these attributes when they use my service. Are these meta-data attributes visible to other installed packages on the phone via the PackageManager even if the service is not exported?

Answer 1

Are these meta-data attributes visible to other installed packages on the phone via the PackageManager even if the service is not exported?

Yes. Everything in the manifest, and everything in your resources and assets, is accessible to all applications on the device.

Answer 2

After doing some tests I confirmed that all meta-data fields are visible to all packages, as CommonsWare said. However, I also discovered that you can keep the content of the value private, by using android:resource instead of android:value. When you use android:resource only the integer id of the resource is returned from the PackageManager, and therefore only your package will have access to the actual resource value.

Update: It turns out that CommonsWare was right again. After investigating further, all resources and assets are publicly visible to ALL packages installed on the device. No permissions are required.

PackageManager pm = getPackageManager();
PackageInfo info = pm.getPackageInfo("test.package", PackageManager.GET_META_DATA|PackageManager.GET_SERVICES);
int resourceId = info.services[0].metaData.getInt("sampleName");
String resourceValue = pm.getResourcesForApplication("test.package").getString(resourceId);