|This rule was developed in part by Emma Krummenacher at the October 20-22, 2017 OurCS Workshop (http://www.cs.cmu.edu/ourcs/register.html). |
For more information about this statement, see the About the OurCS Workshop page.
The use of constants MODE_WORLD_READABLE and MODE_WORLD_WRITABLE is very dangerous and can cause security holes in applications. Applications should use more formal mechanisms for interactions and communicating amongst each other. These mechanisms include ContentProvider, BroadcastReceiver, and Service.
- ContentProvider: provides content to applications; used to share data amongst multiple applications
- BroadcastReceiver: Broadcasts are sent when an event of interest occurs; applications may register to receive certain broadcasts; used as a messaging system amongst applications
- Service: allows application to tell the system what it wants to do in the background and exposes some of its functionality to other applications
Noncompliant Code Example
This noncompliant code example shows an application that uses MODE_WORLD_READABLE to share files between applications.
Using the constant MODE_WORLD_READABLE allows other applications to read the file using the shared preference API. This is likely to cause security holes and is strongly discouraged.
This noncompliant code example shows an application that uses MODE_WORLD_WRITABLE to share files between applications.
Using the constant MODE_WORLD_WRITABLE allows other applications to read the file using the shared preference API. This is likely to cause security holes and is strongly discouraged.
In this compliant solution ...:
The constants MODE_WORLD_READABLE and MODE_WORLD_WRITABLE have been deprecated since API level 17. Starting from Android 7.0 (API level 24) their use will result in a SecurityException to be thrown.
Summary of risk assessment.
Fill in the table below with at least one entry row, per these instructions, then remove this purple-font section.
|TBD (e.g., MITRE CWE)|
|Sharing Files - Android Developer|
|Storage Options - Android Developer||https://developer.android.com/guide/topics/data/data-storage.html#pref|
|Context - Android Developer||https://developer.android.com/reference/android/content/Context.html|