The following table lists the CERT C Coding Standard rules and recommendations, and states their applicability to the development of Android applications. Applicable means that the rule can be applied to general C platforms including Android. Applicable? means that one reviewer found the rule to be applicable to the Android platform, but we are waiting for that to be verified. Applicable in principle means that the rule can be applied to Android but the examples currently shown in the rule are not yet relevant to Android. Not applicable means that the rule cannot be applied to Android platforms. A '?' indicates that applicability has not yet been determined.
Rules | Android app development applicable? | Comments |
DCL38-C. Use the correct syntax when declaring a flexible array member | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
EXP35-C. Do not modify objects with temporary lifetime | Applicable in Principle | Possibly C11 relevant material, relevance must be considered on Android. |
EXP36-C. Do not cast pointers into more strictly aligned pointer types | Applicable in Principle | 36C ARM chips more strict, X86 not so strict (so, relevant). |
INT35-C. Use correct integer precisions | Applicable in Principle | Currently may not apply; if no 64-bit Android phones (although current news says on the way) |
INT36-C. Converting a pointer to integer or integer to pointer | Applicable in Principle | Don't know if a hardware platform for Android that this applies to. (only apply to certain arcane platform) |
FLP32-C. Prevent or detect domain and range errors in math functions | Applicable in Principle | Maybe currently, a restriction on size of ints/doubles, etc. (64 bit chips) |
FLP34-C. Ensure that floating-point conversions are within range of the new type | Applicable in Principle | Maybe currently, a restriction on size of ints/doubles, etc. (64 bit chips) |
FLP36-C. Preserve precision when converting integral values to floating-point type | Applicable in Principle | Maybe currently, a restriction on size of ints/doubles, etc. (64 bit chips) |
STR30-C. Do not attempt to modify string literals | Applicable in Principle | STR: rest, yes |
STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator | Applicable in Principle | STR: rest, yes |
STR34-C. Cast characters to unsigned char before converting to larger integer sizes | Applicable in Principle | Can chars be unsigned on Android? Might be a compiler option, so yes. Not needed for new code, but might have previous code affected by it. |
STR38-C. Do not confuse narrow and wide character strings and functions | Applicable in Principle | Not sure, needs more investigation. |
MEM33-C. Allocate and copy structures containing a flexible array member dynamically | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
FIO39-C. Do not alternately input and output from a stream without an intervening flush or positioning call | Applicable in Principle | |
FIO30-C. Exclude user input from format strings | Applicable in Principle | Universal |
FIO29-C. Do not open a file that is already open | Applicable in Principle | |
FIO32-C. Do not perform operations on devices that are only appropriate for files | Applicable in Principle | |
FIO34-C. Distinguish between characters read from a file and EOF or WEOF | Applicable in Principle | EOF/WEOF: Only apply to app's public files? Others protected by VM? |
FIO37-C. Do not assume that fgets() or fgetws() returns a nonempty string when successful | Applicable in Principle | |
FIO38-C. Do not copy a FILE object | Applicable in Principle | FIO reference. What is Android filesystem? http://stackoverflow.com/questions/2421826/what-is-androids-file-system It depends on what filesystem, for example /system and /data are yaffs2 while /sdcard is vfat By default, it uses YAFFS - Yet Another Flash File System. Depends on what hardware/platform you use. Since Android uses the Linux-kernel at this level, it is more or less possible to use whatever filesystem the Linux-kernel supports. But since most phones use some kind of nand flash, it is safe to assume that they use YAFFS. But please note that if some vendor wants to sell a Android netbook (with a harddrive), they could use ext3 or something like that. |
FIO40-C. Reset strings on fgets() or fgetws() failure | Applicable in Principle | |
FIO41-C. Do not call getc(), putc(), getwc(), or putwc() with a stream argument that has side effects | Applicable in Principle | |
FIO42-C. Close files when they are no longer needed | Applicable in Principle | |
FIO44-C. Only use values for fsetpos() that are returned from fgetpos() | Applicable in Principle | |
FIO45-C. Avoid TOCTOU race conditions while accessing files | Applicable in Principle | |
FIO46-C. Do not access a closed file | Applicable in Principle | |
FIO47-C. Use valid format strings | Applicable in Principle | Universal |
SIG30-C. Call only asynchronous-safe functions within signal handlers | Applicable in Principle | SigAction may solve these problems. If Android supports SigAction, these rules/recommendations may not be needed. http://stackoverflow.com/questions/7245550/android-app-restarts-automatically-after-a-crash |
SIG31-C. Do not access shared objects in signal handlers | Applicable in Principle | SigAction may solve these problems. If Android supports SigAction, these rules/recommendations may not be needed. http://stackoverflow.com/questions/7245550/android-app-restarts-automatically-after-a-crash |
SIG34-C. Do not call signal() from within interruptible signal handlers | Applicable in Principle | SigAction may solve these problems. If Android supports SigAction, these rules/recommendations may not be needed. http://stackoverflow.com/questions/7245550/android-app-restarts-automatically-after-a-crash |
SIG35-C. Do not return from a computational exception signal handler | Applicable in Principle | SigAction may solve these problems. If Android supports SigAction, these rules/recommendations may not be needed. http://stackoverflow.com/questions/7245550/android-app-restarts-automatically-after-a-crash |
CON30-C. Clean up thread-specific storage | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON31-C. Do not destroy a mutex while it is locked | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON32-C. Prevent data races when accessing bit-fields from multiple threads | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON33-C. Avoid race conditions when using library functions | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON34-C. Declare objects shared between threads with appropriate storage durations | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON35-C. Avoid deadlock by locking in a predefined order | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON36-C. Wrap functions that can spuriously wake up in a loop | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON37-C. Do not call signal() in a multithreaded program | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON38-C. Preserve thread safety and liveness when using condition variables | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON39-C. Do not join or detach a thread that was previously joined or detached | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON40-C. Do not refer to an atomic variable twice in an expression | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON41-C. Wrap functions that can fail spuriously in a loop | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
Recommendations | Android app development applicable? | Comments |
FLP04-C. Check floating-point inputs for exceptional values | Applicable in Principle | Maybe currently, a restriction on size of ints/doubles, etc. (64 bit chips) |
FLP05-C. Don't use denormalized numbers | Applicable in Principle | Maybe currently, a restriction on size of ints/doubles, etc. (64 bit chips) |
FLP06-C. Convert integers to floating point for floating-point operations | Applicable in Principle | Maybe currently, a restriction on size of ints/doubles, etc. (64 bit chips) |
FLP07-C. Cast the return value of a function that returns a floating-point type | Applicable in Principle | Maybe currently, a restriction on size of ints/doubles, etc. (64 bit chips) |
ARR00-C. Understand how arrays work | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
ARR01-C. Do not apply the sizeof operator to a pointer when taking the size of an array | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
ARR02-C. Explicitly specify array bounds, even if implicitly defined by an initializer | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
ARR30-C. Do not form or use out-of-bounds pointers or array subscripts | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
ARR32-C. Ensure size arguments for variable length arrays are in a valid range | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
ARR36-C. Do not subtract or compare two pointers that do not refer to the same array | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
ARR37-C. Do not add or subtract an integer to a pointer to a non-array object | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
ARR38-C. Guarantee that library functions do not form invalid pointers | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
ARR39-C. Do not add or subtract a scaled integer to a pointer | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
STR11-C. Do not specify the bound of a character array initialized with a string literal | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
FIO01-C. Be careful using functions that use file names for identification | Applicable in Principle | |
FIO02-C. Canonicalize path names originating from tainted sources | Applicable in Principle | |
FIO03-C. Do not make assumptions about fopen() and file creation | Applicable in Principle | |
FIO05-C. Identify files using multiple file attributes | Applicable in Principle | |
FIO06-C. Create files with appropriate access permissions | Applicable in Principle | |
FIO08-C. Take care when calling remove() on an open file | Applicable in Principle | |
FIO09-C. Be careful with binary data when transferring data across systems | Applicable in Principle | |
FIO10-C. Take care when using the rename() function | Applicable in Principle | |
FIO11-C. Take care when specifying the mode parameter of fopen() | Applicable in Principle | |
FIO13-C. Never push back anything other than one read character | Applicable in Principle | |
FIO14-C. Understand the difference between text mode and binary mode with file streams | Applicable in Principle | |
FIO15-C. Ensure that file operations are performed in a secure directory | Applicable in Principle | FIO15-C: Look at Android/C interactions more closely to see if applicable. |
FIO17-C. Do not rely on an ending null character when using fread() | Applicable in Principle | |
FIO18-C. Never expect fwrite() to terminate the writing process at a null character | Applicable in Principle | |
FIO19-C. Do not use fseek() and ftell() to compute the size of a regular file | Applicable in Principle | |
FIO20-C. Avoid unintentional truncation when using fgets() or fgetws() | Applicable in Principle | |
FIO21-C. Do not create temporary files in shared directories | Applicable in Principle | |
FIO22-C. Close files before spawning processes | Applicable in Principle | |
FIO23-C. Do not exit with unflushed data in stdout or stderr | Applicable in Principle | |
SIG00-C. Mask signals handled by noninterruptible signal handlers | Applicable in Principle | SigAction may solve these problems. If Android supports SigAction, these rules/recommendations may not be needed. http://stackoverflow.com/questions/7245550/android-app-restarts-automatically-after-a-crash |
SIG01-C. Understand implementation-specific details regarding signal handler persistence | Applicable in Principle | SigAction may solve these problems. If Android supports SigAction, these rules/recommendations may not be needed. http://stackoverflow.com/questions/7245550/android-app-restarts-automatically-after-a-crash |
SIG02-C. Avoid using signals to implement normal functionality | Applicable in Principle | SigAction may solve these problems. If Android supports SigAction, these rules/recommendations may not be needed. http://stackoverflow.com/questions/7245550/android-app-restarts-automatically-after-a-crash |
API01-C. Avoid laying out strings in memory directly before sensitive data | Applicable in Principle | |
API02-C. Functions that read or write to or from an array should take an argument to specify the source or target size | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
API05-C. Use conformant array parameters | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
API09-C. Compatible values should have the same type | Applicable in Principle | |
CON00-C. Avoid race conditions with multiple threads | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON01-C. Acquire and release synchronization primitives in the same module, at the same level of abstraction | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON02-C. Do not use volatile as a synchronization primitive | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON03-C. Ensure visibility when accessing shared variables | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON04-C. Join or detach threads even if their exit status is unimportant | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON05-C. Do not perform operations that can block while holding a lock | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON06-C. Ensure that every mutex outlives the data it protects | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON07-C. Ensure that compound operations on shared variables are atomic | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON08-C. Do not assume that a group of calls to independently atomic methods is atomic | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
CON09-C. Avoid the ABA problem when using lock-free algorithms | Applicable in Principle | CON concurrency: Need to look into Android, does it support C11? Look at specifics of Android. Maybe POSIX threads, not C11 threads. |
MSC19-C. For functions that return an array, prefer returning an empty array over a null value | Applicable in Principle | Arrays: Need examination of Android support. (gcc support of arrays partial). Note native code array issues different with ART than with Dalvik: http://developer.android.com/guide/practices/verifying-apps-art.html#JNI_Issues |
Rules | Android app development applicable? | Comments |
MSC30-C. Do not use the rand() function for generating pseudorandom numbers | Applicable | |
MSC32-C. Properly seed pseudorandom number generators | Applicable | |
MSC33-C. Do not pass invalid data to the asctime() function | Applicable | |
MSC37-C. Ensure that control never reaches the end of a non-void function | Applicable | |
MSC38-C. Do not treat a predefined identifier as an object if it might only be implemented as a macro | Applicable | |
MSC39-C. Do not call va_arg() on a va_list that has an indeterminate value | Applicable | |
MSC40-C. Do not violate constraints | Applicable | |
Recommendations | Android app development applicable? | Comments |
POS01-C. Check for the existence of links when dealing with files | Applicable in Principle | |
POS02-C. Follow the principle of least privilege | Applicable | |
POS04-C. Avoid using PTHREAD_MUTEX_NORMAL type mutex locks | Applicable in Principle | |
POS05-C. Limit access to files by creating a jail | Applicable in Principle | |
Rules | Android app development applicable? | Comments |
POS30-C. Use the readlink() function properly | Applicable in Principle | |
POS33-C. Do not use vfork() | Possibly Applicable | |
POS34-C. Do not call putenv() with a pointer to an automatic variable as the argument | Possibly Applicable | |
POS35-C. Avoid race conditions while checking for the existence of a symbolic link | Applicable in Principle | Can apps get root? Can they run a shell? These rules/guidelines are not meant to address rooted devices (different OS than standard Android) |
POS36-C. Observe correct revocation order while relinquishing privileges | Applicable in Principle | Can apps get root? Can they run a shell? These rules/guidelines are not meant to address rooted devices (different OS than standard Android) |
POS37-C. Ensure that privilege relinquishment is successful | Applicable in Principle | Can apps get root? Can they run a shell? These rules/guidelines are not meant to address rooted devices (different OS than standard Android) |
POS38-C. Beware of race conditions when using fork and file descriptors | Applicable in Principle | |
POS39-C. Use the correct byte ordering when transferring data between systems | Applicable in Principle | |
POS44-C. Do not use signals to terminate threads | Applicable in Principle | Further investigation needed, specific to SigAction |
POS47-C. Do not use threads that can be canceled asynchronously | Applicable in Principle | |
POS48-C. Do not unlock or destroy another POSIX thread's mutex | Applicable in Principle | |
POS49-C. When data must be accessed by multiple threads, provide a mutex and guarantee no adjacent data is also accessed | Applicable in Principle | Look into Android specifics for this, regarding "guarantee no adjacent data is accessed". |
POS50-C. Declare objects shared between POSIX threads with appropriate storage durations | Applicable in Principle | |
POS51-C. Avoid deadlock with POSIX threads by locking in predefined order | Applicable in Principle | |
POS52-C. Do not perform operations that can block while holding a POSIX lock | Applicable in Principle | |
POS53-C. Do not use more than one mutex for concurrent waiting operations on a condition variable | Applicable in Principle | |
POS54-C. Detect and handle POSIX library errors | Applicable in Principle | |
Recommendations | Android app development applicable? | Comments |
WIN00-C. Be specific when dynamically loading libraries | Not applicable | Android apps are not used in a Microsoft environment |
WIN01-C. Do not forcibly terminate execution | Not applicable | Android apps are not used in a Microsoft environment |
WIN02-C. Restrict privileges when spawning child processes | Not applicable | Android apps are not used in a Microsoft environment |
WIN03-C. Understand HANDLE inheritance | Not applicable | Android apps are not used in a Microsoft environment |
WIN04-C. Consider encrypting function pointers | Not applicable | Android apps are not used in a Microsoft environment |
Rules | Android app development applicable? | Comments |
WIN30-C. Properly pair allocation and deallocation functions | Not applicable | Android apps are not used in a Microsoft environment |