Androidmanifest security configuration

MatthieuPlaye · March 28, 2024, 10:01am

Hello, I’m not sure if I am in the right category, but I have a question about security configuration.

For the security team at the company where I work, I need to set the following properties to false:

android:exported="false" (inside <activity>)
android:grantUriPermissions="false" (inside <provider>)

The problem with setting android:exported to false is that it’s no longer possible to debug the application using adb. Does anyone know a way to overcome this issue?

Also, setting android:grantUriPermissions to false crashes the app on startup. Does anyone know how to set it to false and still be able to grant specific permissions? Or only allow the Ionic app to have permissions to access the Android native files.

Current working AndroidManifest file:

<?xml version='1.0' encoding='utf-8'?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android">
    <application
      android:networkSecurityConfig="@xml/network_security_config"
      android:allowBackup="false"
      android:icon="@mipmap/ic_launcher"
      android:label="@string/app_name"
      android:roundIcon="@mipmap/ic_launcher_round"
      android:supportsRtl="true"
      android:theme="@style/AppTheme">
        <activity
                android:configChanges="orientation|keyboardHidden|keyboard|screenSize|locale|smallestScreenSize|screenLayout|uiMode"
                android:exported="true"
                android:label="@string/title_activity_main"
                android:launchMode="singleTask"
                android:name=".MainActivity"
                android:theme="@style/AppTheme.NoActionBarLaunch">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <provider android:authorities="${applicationId}.fileprovider"
                  android:exported="false"
                  android:grantUriPermissions="true"
                  android:name="androidx.core.content.FileProvider">
            <meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/file_paths" />
        </provider>
    </application>
    <uses-permission android:name="android.permission.READ_MEDIA_IMAGES" />
    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.USE_BIOMETRIC" />
</manifest>

Matthieu

julio-ionic · April 1, 2024, 2:07pm

providers are used for security reasons, is the safe way of sharing an internal file from your app with another app, in example using share plugin, or when taking a picture with camera plugin, the plugin creates an empty file inside your app and lets the camera app write the result inside that file.

The permissions are granted per file when it’s about to be shared or used by another app, so there is no point setting grantUriPermissions to false as when it’s used it’s to grant the access to that file.
If you don’t use share or camera plugins you can remove the whole provider block (unless you have some other plugin that might require providers).

And for the activity, if I set it to false I get it underlined in red saying that it’s required to be true for Android 12 and newer for being able to launch the app.

So talk with your security team because doesn’t look like they know what they are requesting you to do.