Best Practices for Secure Android Component Development

Introduction: This article discusses how to use Android components more securely during development, highlighting risk points and ways to improve source reliability and app security.

Background: Android's four main components (Activity, Service, BroadcastReceiver, ContentProvider) can be declared public or private via the android:exported attribute. By default, Activity, Service, and BroadcastReceiver become public when an intent-filter is present; ContentProvider is public on API levels below 17 and private on API 17 and above.

Public components can be invoked by external applications, which creates security risks.

Secure component development recommendations:

Remove any components declared in AndroidManifest that have no implementation, as they can be exploited to crash the app.

Set android:exported="false" for components that do not need to be accessed by other apps, making them private.

Define custom permissions with appropriate protectionLevel for components that should be accessed only by specific external apps.

Ensure private components cannot be launched by public components, preventing privilege escalation.

Use LocalBroadcastManager for dynamic BroadcastReceiver registration to keep broadcasts internal to the app.

Limit ContentProvider exposure: avoid unnecessary openFile() implementation or validate file paths to prevent directory‑traversal attacks.

Validate all incoming Intent data before processing to avoid malicious commands or crashes.

Permission declaration example:

<permission android:name="com.autohome.permission_test" android:protectionLevel="signature"/>

Activity with custom permission:

<activity android:name="DemoActivity" android:permission="com.autohome.permission_test">
    <intent-filter>
        ...
    </intent-filter>
</activity>

Uses‑permission declaration:

<uses-permission android:name="com.autohome.permission_test"/>

LocalBroadcastManager utility methods:

public static void sendLocalBroadcast(Intent intent) {
    LocalBroadcastManager.getInstance(getInstance()).sendBroadcastSync(intent);
}
public static void registerLocalReceiver(BroadcastReceiver receiver, IntentFilter filter) {
    LocalBroadcastManager.getInstance(getInstance()).registerReceiver(receiver, filter);
}
public static void unregisterLocalReceiver(BroadcastReceiver receiver) {
    LocalBroadcastManager.getInstance(getInstance()).unregisterReceiver(receiver);
}

Conclusion: Set unnecessary components to non‑exported, apply permission controls to exported components, strictly validate Intent parameters, use LocalBroadcastManager for internal broadcasts, and protect ContentProvider file access to improve Android app security.