rspec/rules/S5594/xml/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

On AndroidManifest.xml:

----
<provider
  android:authorities="com.example.myapp.MyProvider1"
  android:name="com.example.myapp.MyProvider1"
  android:exported="true" /> <!-- Noncompliant: by default content providers are accessible by any other applications --> 

<provider
  android:authorities="com.example.myapp.MyProvider2"
  android:name="com.example.myapp.MyProvider2"
  android:exported="true"
  android:readPermission="com.example.myapp.READ_PERMISSION" />  <!-- Noncompliant: write permissions are not implemented --> 

<provider
  android:authorities="com.example.myapp.MyProvider3"
  android:name="com.example.myapp.MyProvider3"
  android:exported="true"
  android:writePermission="com.example.myapp.WRITE_PERMISSION" />  <!-- Noncompliant: read permissions are not implemented --> 

<permission android:name="com.example.myapp.BAD_PERMISSION"
  android:protectionLevel="dangerous" />

<provider
  android:authorities="com.example.myapp.MyProvider4"
  android:name="com.example.myapp.MyProvider4"
  android:exported="true"
  android:permission="com.example.myapp.BAD_PERMISSION"  />  <!-- Noncompliant: non restrictive permissions are setted --> 
----

== Compliant Solution

On AndroidManifest.xml, if it is not needed to export your provider to other applications, set the ``++exported++`` property to ``++false++``:

----
<provider
  android:authorities="com.example.myapp.MyProvider5"
  android:name="com.example.myapp.MyProvider5"
  android:exported="false" />  <!-- Compliant --> 
----

Otherwise implement restrictive permissions:

----
<permission android:name="com.example.myapp.GOOD_PERMISSION"
  android:protectionLevel="signature" />

<provider
  android:authorities="com.example.myapp.MyProvider6"
  android:name="com.example.myapp.MyProvider6"
  android:exported="true"
  android:permission="com.example.myapp.GOOD_PERMISSION"  />  <!-- Compliant --> 
----

include::../see.adoc[]