mcp-server-semgrep/semgrep-rules/java/android/security/exported_activity.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: exported_activity
  patterns:
  - pattern-not-inside: <activity ... android:exported="false" ... />
  - pattern-inside: "<activity  ... /> \n"
  - pattern-either:
    - pattern: |
        <activity ... android:exported="true" ... />
    - pattern: |
        <activity ... <intent-filter> ... />
  message: >-
    The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. 
    Ensure that any exported activities do not have privileged access to your application's control plane.
  languages:
  - generic
  severity: WARNING
  paths:
    exclude:
    - sources/
    - classes3.dex
    - '*.so'
    include:
    - '*AndroidManifest.xml'
  metadata:
    category: security
    subcategory:
    - vuln
    cwe:
    - 'CWE-926: Improper Export of Android Application Components'
    confidence: MEDIUM
    likelihood: MEDIUM
    impact: MEDIUM
    owasp:
    - A5:2021 Security Misconfiguration
    technology:
    - Android
    references:
    - https://cwe.mitre.org/data/definitions/926.html