ExportedActivityDetector.kt

class ExportedActivityDetector : Detector(), Detector.XmlScanner {

    override fun getApplicableAttributes() = listOf("exported")

    override fun visitAttribute(context: XmlContext, attribute: Attr) {
        if (attribute.isParentActivity() && attribute.value == "true") {
            val location = context.getLocation(attribute)
            context.report(
                issue = ISSUE_EXPORTED_ACTIVITY,
                scope = attribute,
                message = ISSUE_EXPORTED_ACTIVITY.getBriefDescription(TextFormat.TEXT),
                location = location,
                quickfixData = quickFix(location)
            )
        }
    }

    private fun quickFix(location: Location): LintFix? {

        return fix().name("Remove attribute")
            .replace()
            .range(location)
            .all()
            .with("")
            .reformat(true)
            .build()
    }

    private fun Attr.isParentActivity() = ownerElement?.nodeName == "activity"
}

ExportedActivityIssue.kt

val ISSUE_EXPORTED_ACTIVITY = Issue.create(
    id = "ExportedActivity",
    briefDescription = "<activity> is accessible by other applications",
    explanation = """
        This attribute allows other applications to open the activity which
        is probably something you do not want. If you are using intent-filters
        they automatically export the activity.
        """.trimIndent(),
    category = Category.CORRECTNESS,
    priority = 7,
    severity = Severity.ERROR,
    implementation = Implementation(
        ExportedActivityDetector::class.java,
        Scope.MANIFEST_SCOPE
    )
)