Why android:exported is false in the Service used to receive Firebase push notification?

Question

Based on https://developer.android.com/guide/topics/manifest/service-element

Regarding the meaning of android:exported

Whether or not components of other applications can invoke the service or interact with it — "true" if they can, and "false" if not. When the value is "false", only components of the same application or applications with the same user ID can start the service or bind to it.

When I look at the code https://firebase.google.com/docs/cloud-messaging/android/client

<service
    android:name=".java.MyFirebaseMessagingService"
    android:exported="false">
    <intent-filter>
        <action android:name="com.google.firebase.MESSAGING_EVENT" />
    </intent-filter>
</service>

I thought when we are receiving push notification, it is the external Android system (considered as "other app") which invokes our app code. If that is so, why android:exported is false in the above case?

Isn't it should be true, if it is an external app which invokes our app code?

Thanks.

Answer 1

to be exact: afaik Google Play Services app is distributing pushes ("other app"). so yes, this Service should be exported if it is a receiver. BUT are you shure that this developer-side declared Service is obtaining push data directly from some external source/app? I bet "real receiver" of push messages is declared internally in Firebase library, is exported and does some hard job preventing injections + reading some additional metadata etc. And at the end it sends push data to developer-declared Service, which works in same process/app, thus this may not be exported (probably even shouldn't for safety purposes)

just guessing, but it looks like Google-style, and also reasonable, approach. don't have access to sources ;) maybe check out Merged manifest in Android Studio, it will show ALL declared activities, services, broadcasts, permissions etc. - sum of your entries and all imported libs (well, "merged")