Behavior changes | Understanding intent-filter in Android 12

12 An important change is to improve the security of Android applications and systems, this change affects all target versions for Android application 12 .

If the Activity, service, and broadcast receiver components registered in the AndroidManifest.xml file have an intent-filter declaration, they must explicitly state whether the service needs to be disclosed (android:exported).

❗️ If the following error message appears in your application, it is likely to be related to this change.

Installation did not succeed.

The application could not be installed: INSTALL_FAILED_VERIFICATION_FAILURE

List of apks:

[0] ‘…/build/outputs/apk/debug/app-debug.apk’

Installation failed due to: ‘null’

or

NSTALL_PARSE_FAILED_MANIFEST_MALFORMED: Failed parse during installPackageLI:

/data/app/vmdl538800143.tmp/base.apk (at Binary XML file line #…):

com.example.package.ActivityName: Targeting S+ (version 10000 and above) requires that an explicit

value for android:exported be defined when intent filters are present”

solution

To solve these problems, you need to AndroidManifest.xml file, using the <intent-filter> of <activity> , <activity-alias> , <service> or <receiver> component declaration android:exported property.

We look forward to receiving your feedback on this requirement. If you have any suggestions or ideas, please fill out this short questionnaire to give us feedback and tell us which use cases in your application are affected by this change .

⚠️ Please do not "simple and rude" to add android:exported="true" directly to these components, you need to check and consider those components that have added the intent-filter attribute: any other application on the user's device can start this component, whether this is what you need of?

Whether a component can call or interact with components or services of other applications depends on the function of the application itself, how other applications interact with the application, and the specific application scenarios that may exist. Here are some common examples, including the recommended configuration of intent-filter and why it should be set up like this.

Containing <category android:name="android.intent.category.LAUNCHER" /> Activity setting android:exported="true"

This Activity may be MainActivity of your application. Since the Launcher (desktop/launcher) on Android is a very regular application, this Activity must be set to exported="true" , otherwise the Launcher application cannot start it.

Containing <action android:name="android.intent.action.VIEW" /> Activity setting android:exported="true"

This Activity is responsible for handling "open with" operations from other applications.

Comprising <action android:name="android.intent.action.SEND" /> or <action android:name="android.intent.action.SEND_MULTIPLE"/> the Activity setting android:exported="true"

This Activity is responsible for processing the content shared by other apps. For more information, please refer to: receive simple data from other apps.

Containing <action android:name="android.media.browse.MediaBrowserService" /> Service set android:exported="true"

If this is a Service that exposes the application's media library to other applications, it needs to be set to android:exported="true" to facilitate other applications to connect and browse. This Service is generally implemented by directly or indirectly inheriting MediaBrowserServiceCompat . If it is not, there is no need to set this.

To include <action android:name="com.google.firebase.MESSAGING_EVENT" /> Service, set android:exported="false"

This Service will be called by Firebase Cloud Messaging, and the Service needs to inherit FirebaseMessagingService . This Service should not set android:exported="true", because Firebase can start this Service no matter what its attribute value is. For more information, please refer to: Developing a Firebase Cloud-based messaging application on Android.

Comprising <action android:name="android.intent.action.BOOT_COMPLETED" /> set of Receiver Android: = exported "to false"

Because no matter whether it is exported or not, the system will send the corresponding broadcast to the receiver.

background

Before Android 12, components with intent-filter attributes ( only Activity, Service and BroadcastReceiver) were automatically set to exported by default.

The following activities will be exported by default:

<activity android:name=".MainActivity">
    <intent-filter>
        <action android:name="android.intent.action.MAIN" />
        <category android:name="android.intent.category.LAUNCHER" />
    </intent-filter>
</activity>

The following activities will not be exported:

<activity android:name=".MainActivity" />

This default setting may seem reasonable, but this error may make the application vulnerable. For example, suppose our application has an Activity that plays a video:

<activity android:name=”.PlayVideoActivity” />

Later, we found that many places need to explicitly call or start this Activity. In order to reduce the coupling of the application, we added the intent-filter attribute to the Activity to allow the system to select this Activity:

<activity android:name=”.PlayVideoActivity”>
    <intent-filter>
        <action android:name=”android.intent.action.VIEW” />
        <data
            android:mimeType=”video/*”
            android:scheme=”content” />
    </intent-filter>
</activity>

At this point, the problem has arisen. The purpose of this activity is only to be used inside the application, but it has now been made public!

If the target version of our application is Android 12, the system will prevent such a setting and force us to set the android:exported attribute. Since we do not want to expose the Activity to the outside world, we can set android:export=false to ensure the security of the application.

<activity
    android:name=”.PlayVideoActivity”
    android:exported=”false”>
    <intent-filter>
        <action android:name=”android.intent.action.VIEW” />
        <data
            android:mimeType=”video/*”
            android:scheme=”content” />
    </intent-filter>
</activity>

Brief summary

An important change in Android 12 is to improve security. With Android 12 as the target version of the application, if AndroidManifest.xml registered activity , activity-alias , service or broadcast receiver component has intent-filter property, it must explicitly set android:exported value, otherwise the application will not be installed.

You need to carefully consider what value the android:exported attribute needs to be set. If you are not sure, it is recommended to set android:exported="false" .

For more information about intent and intent-filter, please refer to: receives an implicit intent .

For more security and privacy updates, please refer to: Behavior changes: Applications targeting Android 12 -> Security .

To learn about all the updates of Android 12, please refer to: first developer preview version of Android 12 is coming .