Type: Security Hotspot Detection
Message:Make sure that external files are accessed safely here
Default Quality Profiles:Sonar way
Targeted languages:Java, Kotlin
Analysis Scope:Main Sources
SANS Top 25:Porous Defenses, Risky Resource Management
In Android applications, accessing external storage is security-sensitive. For example, it has led in the past to the following vulnerability:
Any application having the permissions WRITE_EXTERNAL_STORAGE or READ_EXTERNAL_STORAGE can access files stored on an external storage, be it a private or a public file.
This rule raises an issue when the following functions are called:
- Data written to the external storage is security-sensitive and is not encrypted.
- Data read from files is not validated.
You are at risk if you answered yes to any of those questions.
Validate any data read from files.
Avoid writing sensitive information to an external storage. If this is required, make sure that the data is encrypted properly.
- Android Security tips on external file storage
- OWASP Top 10 2017 Category A1 - Injection
- OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
- MITRE, CWE-312 - Cleartext Storage of Sensitive Information
- MITRE, CWE-20 - Improper Input Validation
- SANS Top 25 - Risky Resource Management
- SANS Top 25 - Porous Defenses