AVG 0 Posted February 6, 2022 Hi, Im doing a check of my Delphi App APK with MobSF Application Security, preparing it for a coming pentest. The only high vulnerability that is left if the case that the com.google.firebase.messaging.FirebaseMessagingService is exported with "true" value on the manifiest. <service android:exported="true" android:name="com.google.firebase.messaging.FirebaseMessagingService"> <intent-filter android:priority="-500"> <action android:name="com.google.firebase.MESSAGING_EVENT" /> </intent-filter> </service> I have tried several approach for working the solution, in order to get the exported value to "false": 1. Try changing the value on Android.Manifiest.Template file for example... but the value isnt there since Delphi adds this com.google.firebase.messaging.FirebaseMessagingService entry on the Android.Manifiest.xml file at compiling time. 2. Get the generated Android.Manifiest.XML from the /Android/Bin folder after compiling, changing the exported value to false for com.google.firebase.messaging.FirebaseMessagingService and then replace the Android.Manifiest.Template with it. The problem is that Delphi is still generating the automatic exported=true value for the service and is in fact duplicating the value on the Android.Manifiest File Do anyone know how or we are pre-configured this automatic value that Delphi adxs to the Manifiest when you select that you want to integrate with Firebase? <service android:exported="true" android:name="com.google.firebase.messaging.FirebaseMessagingService"> <intent-filter android:priority="-500"> <action android:name="com.google.firebase.MESSAGING_EVENT" /> </intent-filter> </service> Thanks for any help Guys! Share this post Link to post
Dave Nottage 494 Posted February 6, 2022 3 hours ago, AVG said: Do anyone know how or we are pre-configured this automatic value that Delphi adxs to the Manifiest when you select that you want to integrate with Firebase? As you discovered, it is being added during the build process. The value for exported is not in any configuration files so presumably it is hard-coded. The "easiest" way to fix this is to edit the generated AndroidManifest.xml, add it to the deployment and disable the one that Delphi would normally deploy. Of course this means having to repeat the process if you make any changes that affect the manifest. ..or you could use Delphi 11, where the problem has been fixed. 1 Share this post Link to post
![Delphi-PRAXiS [en]](https://en.delphipraxis.net/uploads/monthly_2018_12/logo.png.be76d93fcd709295cb24de51900e5888.png){kind=logo}
