Some providers can have grantUriPermissions set to true even though they are not exported. But then those providers can be used along with some (potentially vulnerable) activity.

<provider android:name="com.ryot.arsdk.util.ARSDKFileProvider" android:exported="false" android:authorities="com.my.android.app.provider" android:grantUriPermissions="true">
            <meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/file_provider_paths"/>
</provider>

Here we need three things:

• The name of the provider
• The authorities(this is the one we have to call the provider with)
• android:resource - since this will be the path of the XML file

Another improvement to this

• Parse the XML file provided in android:resource and just takeout the name and the path of the file-path.