Exported service does not require permission: what does it mean?

147
votes

I created a service that is bound by other applications through AIDL, and I add it to the manifest as follows:

<service android:name=".MyService">
    <intent-filter>
        <action android:name="org.example.android.myservicedemo.IService" />
    </intent-filter>
</service>

where IService is the AIDL interface.

In this way, Eclipse show me the warning Exported service does not require permission. If I remove the intent-filter, the warning disappear, but obviously the applications are unable to bind to the service.

What does this warning mean?

3
androidandroid-service
It means that other (arbitrary) applications the user has on his phone can bind to your Service and call whatever method they please that is exposed through your AIDL interface. - Jens
create a new <permission> in your AndroidManifest.xml and use the name of that as the android:permission attribute of your <service> declaration. Or just ignore the warning - what is the service intended to do? If you are fine with keeping the service "internal" it's much easier just to set android:exported="false" on your <service> - Jens
Then either ignore the warning or add a <permission>, use "signature" if they're all your own applications signed with the same certificate or just go with "normal" otherwise. - Jens
You're already using a (release) certificate to sign your applications - the signature protection checks that the application requesting the permission is same-signed as the application that defined the permission. - Jens
@Jens Thanks...it helped me.... btw you can add your comments as answer. Let enzom83 accept it. - Vijay C

3 Answers

133
votes

I had the same issue when I updated SDK to version 20. I removed it adding android:exported property android:exported="false" like so:

<service android:name=".MyService"
    android:exported="false">
    <intent-filter>
        <action android:name="org.example.android.myservicedemo.IService" />
    </intent-filter>
</service>

See this doc

60
votes

If you want to restrict you activity usage to your own application, then you should add exported=false to your activity's manifest statement.

If you want to allow other applications to use it (explicitly through its class name or, better, by using an intent with a data type or action) then you have two choices :

  • restrict those applications by using a permission
  • allow all applications to use it, then you can add tools:ignore="ExportedActivity" to your activity's manifest statement.

--

Same reasonning applies to a service, with tools:ignore="ExportedService" and content providers with tools:ignore="ExportedContentProvider".

4
votes

As Jens said, "It means that other (arbitrary) applications the user has on his phone can bind to your Service and call whatever method they please that is exposed through your AIDL interface."