This is kind of a compose question and kind of an android question. The compose app I’m working on r...

Jesse Hill

06/14/2021, 6:26 PM

This is kind of a compose question and kind of an android question. The compose app I’m working on recently underwent security testing and one of the issues brought up was

Activity androidx.compose.ui.tooling.preview.PreviewActivity is not protected [android:exported=true]

. I was trying to find out why it’s important for the

PreviewActivity

to be exported or if I can make it not exported for my project. As far as I can tell setting

android:exported=false

for the

PreviewActivity

only affects deploying a

@Preview

to the device. Will making this change have any negative effects on a release build of the app? If this is a non-issue, is there a link to release notes/documentation as to why it isn’t an issue?

Jesse Hill

06/14/2021, 6:28 PM

I’m thinking that this part of the implementation means that just being able to start the activity isn’t a security issue as long as the app isn’t debuggable?

Copy code

override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        if (applicationInfo.flags and ApplicationInfo.FLAG_DEBUGGABLE == 0) {
            Log.d(TAG, "Application is not debuggable. Compose Preview not allowed.")
            finish()
            return
        }

        intent?.getStringExtra("composable")?.let { setComposableContent(it) }
    }

Adam Powell

06/14/2021, 6:57 PM

@nosuid

nosuid

06/16/2021, 10:31 AM

Yes, that's correct. The

PreviewActivity

can not be started if the app is not debuggable and there is no impact on release.

👍 1

5 Views

Open in Slack

Previous Next

kotlinlang

A modern programming language that makes developers happier.