Any application can access public components that are not explicitly assigned an access permission in their manifest definition. Android content providers are exported by default for applications that set either android:minSdkVersion or android:targetSdkVersion to "16" or earlier. For applications that set either of these attributes to "17" or later, the default is "false".

Example 1: The following is an example of an Android content provider declared without an explicit access permission or exported flag.

 <provider android:name=".ContentProvider"/> 

Android relies on a security Provider to provide secure network communications. However, from time to time, vulnerabilities are found in the default security provider. To protect against these vulnerabilities, Google Play services provides a way to automatically update a device's security provider to protect against known exploits. By calling Google Play services methods, your app can ensure that it's running on a device that has the latest updates to protect against known exploits.

The Network Security Configuration feature lets apps customize their network security settings in a safe, declarative configuration file without modifying app code. These settings can be configured for specific domains and for a specific app. The key capabilities of this feature are as follows:
- Custom trust anchors: Customize which Certificate Authorities (CA) are trusted for an app's secure connections. For example, trusting particular self-signed certificates or restricting the set of public CAs that the app trusts.
- Debug-only overrides: Safely debug secure connections in an app without added risk to the installed base.
- Cleartext traffic opt-out: Protect apps from accidental usage of cleartext traffic.
- Certificate pinning: Restrict an app's secure connection to particular certificates.

Broadcasts sent without the receiver permission are accessible to any receiver. If these broadcasts contain sensitive data or reach a malicious receiver, the application may be compromised.

Example 1: The following code sends a broadcast without specifying the receiver permission.

...
context.sendBroadcast(intent);
...

System broadcasts can be sent to private components. Components need to be public to receive non-system broadcasts from third-parties. By registering to receive both system and non-system broadcasts in a single component, some of the functionality of the component (the system portion) is unnecessarily exposed to third parties.

When declaring a custom permission, there are four options for specifying permission's protection level: normal, dangerous, signature, and signature or system. Normal permissions are granted to any application that requests them. Dangerous permissions are granted only after user confirmation. Signature permissions are granted only to applications signed by the same developer key as the package that defines the permission. Signature or system permissions are similar to signature permissions, but are also granted to packages in the Android system image.

Example 1: The following is an example of a custom permission declared with the normal protection level.

 <permission android:name="custom.PERMISSION"
                     android:label="@string/label_permission"
                     android:description="@string/desc_permission"
                     android:protectionLevel="normal">
      </permission>

A content provider declared with the combined read and write permission will be accessible to the entities that request either read or write access to the provider. However, in many cases, just like in the case of files on a file system, entities that need read access to the data stored by the provider should not be allowed to modify the data. Setting the permission attribute does not allow to distinguish between data users and interactions that affect the data's integrity.

Example 1: The following is an example of a content provider declared with the combined read and write access permission.

 <provider android:name=".ContentProvider" android:permission="content.permission.READ_AND_WRITE_CONTENT"/>