When setting exported = false, the app doesn't launch

Question

My Android app went through the Quixxi Vulnerability scan and one of the High risk issues was:

Vulnerability : Using Activities/Improper Export of Android Application Activities
Severity : High

Export tag for following activities are not used properly:
com.domain.appname.activities.SplashActivity

In the manifest it looks like this:

<activity
    android:name=".activities.SplashActivity"
    android:exported="true"
    android:theme="@style/SplashTheme">
    <intent-filter>
        <action android:name="android.intent.action.MAIN" />

        <category android:name="android.intent.category.LAUNCHER" />
    </intent-filter>
</activity>

When I set android:exported="false" the app doesn't start anymore and Android Studio just shows Client not ready yet...

How can I fix the vulnerability reported by Quixxi?

Answer 1

There is no vulnerability, and you cannot "fix" it in terms of somehow improving the security. A launcher activity is supposed to be launched by third-party launchers, and hence it needs to be exported.

Since you have an <intent-filter>, having android:exported is not necessary. It is possible that by removing this attribute, you will "fix" the problem from Quixxi's perspective.

You might reconsider using Quixxi, given this false positive report.

Answer 2

The issue has been fixed, thanks for raising the problem

More in general please bear in mind that Quixxi Vulnerability Test is based on the static analysis of the code. For this reason it is intrinsically subject - as every other vulnerability scanner on the market - to false positives that can be really assessed only with a dynamic analysis

So our vulnerability report is intended to be an app pre-screening on the way the code is written and on the best SW practices to guarantee security to you and your end users