How to address android lint complaint about exported Firebase Messaging service implementations?

You ask: ...is it safe to expose these particular Firebase derived services like this? It is if you trust the comments in the manifest files for these services.

In Android Studio, open your app's AndroidManifest.xml file. At the bottom of the window, select the tab for Merged Manifest. Scroll to find the entry for FirebaseMessagingService. Double-click on the line that contains the service name. The manifest file for the service should open and you will see this:

<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.google.firebase.messaging">
    <uses-sdk android:minSdkVersion="14"/>

    <application>

        <!-- FirebaseMessagingService performs security checks at runtime,
             no need for explicit permissions despite exported="true" -->
        <service android:name="com.google.firebase.messaging.FirebaseMessagingService" android:exported="true">
            <intent-filter android:priority="-500">
                <action android:name="com.google.firebase.MESSAGING_EVENT"/>
            </intent-filter>
        </service>

    </application>
</manifest>

Note the comment: FirebaseMessagingService performs security checks at runtime, no need for explicit permissions despite exported="true"

You can do the same for FirebaseInstanceIdService and see the same comment.

If you trust the comments (I do), you can safely ignore the lint warnings or disable the checks.


<service android:name=".java.MyFirebaseMessagingService"
    android:exported="false">
    <intent-filter>
        <action android:name="com.google.firebase.MESSAGING_EVENT" />
    </intent-filter>
</service>

Based on the official code sample, it's safe to set exported=false