Why is Content Provider without permissions and with exported=true accessible to any app?

Question

Here is a test I ran to understand Android Content Provider permissions:

App ProviderApp manifest:

<provider
    android:authorities="com.mycompany.myProviderApp"
    android:name="com.mycompany.myProviderApp.ContentProviderForMyOtherApps"
    android:exported="true"/>

I also implemented a dummy ContentProvider (ContentProviderForMyOtherApps) with a basic query method returning a string in ProviderApp:

public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) {
    String[] cols = {"column1"};
    MatrixCursor cursor = new MatrixCursor(cols);
    MatrixCursor.RowBuilder builder = cursor.newRow();
    builder.add("HELLO!");
    return cursor;
}

---

App ClientApp code:

Cursor cursor = getContentResolver().query(Uri.parse("content://com.mycompany.myProviderApp"),null,null,null,null);
cursor.moveToFirst();
Log.d(TAG, cursor.getString(0)); // output: HELLO!

---

Okay, so everything is working fine, ClientApp accesses the provider successfully.

But my understanding of the documentation, based on the excerpts below, is that ClientApp should have been denied access to the provider, because:

• ProviderApp manifest has no android:readPermission inside the provider (e.g. com.mycompany.myProviderApp.READ)
• ClientApp manifest has no matching uses-permission (e.g. com.mycompany.myProviderApp.READ)

Documentation excerpts:

If a provider's application doesn't specify any permissions, then other applications have no access to the provider's data.

https://developer.android.com/guide/topics/providers/content-provider-basics.html#Permissions

android:exported

Whether the content provider is available for other applications to use: true: The provider is available to other applications. Any application can use the provider's content URI to access it, subject to the permissions specified for the provider.

https://developer.android.com/guide/topics/manifest/provider-element.html

Why is this code (provider and client declaring NO permissions) actually working?

(What have I missed in the documentation?)

Answer 1

The documentation has a bug. This:

If a provider's application doesn't specify any permissions, then other applications have no access to the provider's data.

should read as:

If a provider's application doesn't specify any permissions, then other applications' access to the provider's data is determined solely by the android:exported value (true grants unlimited access to all applications; false blocks access by other applications) and android:grantUriPermissions value (which gets complicated).

IMHO, that whole section needs to be rewritten. But, with respect to your test, an exported permission-less provider is wide open, with any app being able to read and write with impunity.