Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5324

Accessing Android external storage is security-sensitive

    Details

    • Message:
      Make sure that external files are accessed safely here
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      Java, Kotlin
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-312, CWE-20
    • OWASP:
      A1, A3
    • SANS Top 25:
      Porous Defenses, Risky Resource Management
    • FindBugs:
      ANDROID_EXTERNAL_FILE_ACCESS

      Description

      In Android applications, accessing external storage is security-sensitive. For example, it has led in the past to the following vulnerability:

      Any application having the permissions WRITE_EXTERNAL_STORAGE or READ_EXTERNAL_STORAGE can access files stored on an external storage, be it a private or a public file.

      This rule raises an issue when the following functions are called:

      • android.os.Environment.getExternalStorageDirectory
      • android.os.Environment.getExternalStoragePublicDirectory
      • android.content.Context.getExternalFilesDir
      • android.content.Context.getExternalFilesDirs
      • android.content.Context.getExternalMediaDirs
      • android.content.Context.getExternalCacheDir
      • android.content.Context.getExternalCacheDirs
      • android.content.Context.getObbDir
      • android.content.Context.getObbDirs

      Ask Yourself Whether

      • Data written to the external storage is security-sensitive and is not encrypted.
      • Data read from files is not validated.

      You are at risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      Validate any data read from files.
      Avoid writing sensitive information to an external storage. If this is required, make sure that the data is encrypted properly.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5325 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                nicolas.harraudeau Nicolas Harraudeau
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: