Roberto Tyley Roberto Tyley - 4 months ago 11
Android Question

Is android:exported="true" really necessary for an authentication service?

There are usually two services involved with implementing an Android authenticator - the Authentication service to return an authenticator, and the Sync service which provides a sync adapter. This question is specifically about the Authentication service, although in most examples both services are given the

android:exported="true"
attribute in the
AndroidManifest.xml
, eg:

<service
android:name=".authenticator.AuthenticationService"
android:exported="true">
<intent-filter>
<action
android:name="android.accounts.AccountAuthenticator" />
</intent-filter>
<meta-data
android:name="android.accounts.AccountAuthenticator"
android:resource="@xml/authenticator" />
</service>


Removing the attribute from the Authentication service seems to have no effect (tested Froyo, Gingerbread) - the auth code continues to work just fine - so is the flag actually necessary?

Answer

Ok, to answer this myself by reading the docs, the documentation for the exported attribute says:

The default value depends on whether the service contains intent filters. The absence of any filters means that it can be invoked only by specifying its exact class name. This implies that the service is intended only for application-internal use (since others would not know the class name). So in this case, the default value is "false". On the other hand, the presence of at least one filter implies that the service is intended for external use, so the default value is "true".

All Authentication services have an intent filter - the docs for AbstractAccountAuthenticator say:

In order to be an authenticator one must ... write a service that returns the result of getIBinder() in the service's onBind(android.content.Intent) when invoked with an intent with action ACTION_AUTHENTICATOR_INTENT.

This requires an intent filter, consequently the default value of exported for the service is true. So the answer to this question is "No, the attribute is not necessary - because it's true by default".