Exported service does not require permission: what does it mean?

Question

I created a service that is bound by other applications through AIDL, and I add it to the manifest as follows:

Answer 1

I had the same issue when I updated SDK to version 20. I removed it adding android:exported property android:exported="false" like so:

<service android:name=".MyService"
    android:exported="false">
    <intent-filter>
        <action android:name="org.example.android.myservicedemo.IService" />
    </intent-filter>
</service>

See this doc

Answer 2

If you want to restrict you activity usage to your own application, then you should add exported=false to your activity's manifest statement.

If you want to allow other applications to use it (explicitly through its class name or, better, by using an intent with a data type or action) then you have two choices :

• restrict those applications by using a permission
• allow all applications to use it, then you can add tools:ignore="ExportedActivity" to your activity's manifest statement.

--

Same reasonning applies to a service, with tools:ignore="ExportedService" and content providers with tools:ignore="ExportedContentProvider".

Answer 3

As Jens said, "It means that other (arbitrary) applications the user has on his phone can bind to your Service and call whatever method they please that is exposed through your AIDL interface."