| Rule | Applicable to Android Application Development? | |
|---|
| IDS00-J. Sanitize untrusted data passed across a trust boundary | Applicable in principle | The rule uses MS SQL Server as an example to show a database connection. However, on Android, DatabaseHelper from SQLite is used for a database connection. Because Android apps may receive untrusted data via network connections, the rule is applicable. |
| IDS01-J. Normalize strings before validating them | Applicable in principle | Android apps can receive string data from the outside and normalize it. |
| IDS02-J. Canonicalize path names before validating them | Applicable in principle | The rule is applicable in principle. Please refer to the Android specific instance of this rule: DRD08-J. Always canonicalize a URL received by a content provider. |
| IDS03-J. Do not log unsanitized user input | Applicable | |
| IDS04-J. Safely extract files from ZipInputStream | Applicable in principle | Although not directly a violation of this rule, the Android Master Key vulnerability (insecure use of ZipEntry) is related to this rule. Another attack vector found by a Chinese researcher is also related to this rule. |
| IDS05-J. Use a subset of ASCII for file and path names | Applicable | |
| IDS06-J. Exclude unsanitized user input from format strings | Applicable | |
| IDS07-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method | Applicable in principle | Runtime.exec() can be called from Android apps to execute operating system commands. |
| IDS08-J. Sanitize untrusted data passed to a regex | Applicable | |
| IDS09-J. Do not use locale-dependent methods on locale-dependent data without specifying the appropriate locale | Applicable in principle | A developer can specify locale on Android using java.util.Locale. |
| IDS10-J. Do not split characters between two data structures | Applicable | |
| IDS11-J. Eliminate noncharacter code points before validation | Applicable | |
| IDS12-J. Perform lossless conversion of String data between differing character encodings | Applicable | <this is voided> |
| IDS13-J. Use compatible encodings on both sides of file or network IO | Applicable | |
| DCL00-J. Prevent class initialization cycles | Applicable | |
| DCL01-J. Do not reuse public identifiers from the Java Standard Library | Applicable | |
| DCL02-J. Declare all enhanced for statement loop variables final | Applicable | |
| EXP00-J. Do not ignore values returned by methods | Applicable | |
| EXP01-J. Never dereference null pointers | Applicable in principle | Android applications are more sensitive to NullPointerException due to the constraint of the limited mobile device memory. Static members or members of an Activity may become null when memory runs out. |
| EXP02-J. Use the two-argument Arrays.equals() method to compare the contents of arrays | Applicable | |
| EXP03-J. Do not use the equality operators when comparing values of boxed primitives | Applicable | |
| EXP04-J. Ensure that autoboxed values have the intended type | Applicable | |
| EXP05-J. Do not write more than once to the same variable within an expression | Applicable | |
| EXP06-J. Do not use side-effecting expressions in assertions | Applicable in principle | The assert statement is supported on the Dalvik VM but is ignored under the default configuration. Assertions may be enabled by setting the system property "debug.assert" via: adb shell setprop debug.assert 1 or by sending the command line argument "--enable-assert" to the Dalvik VM. |
| NUM00-J. Detect or prevent integer overflow | Applicable in principle | Mezzofanti for Android contained an integer overflow which prevented the use of a big SD card. Mezzofanti contained an expression: (int) StatFs.getAvailableBlocks() * (int) StatFs.getBlockSize()
to calculate the available memory in a SD card, which could result in a negative value when the available memory is bigger than Integer.MAX_VALUE. Note these methods are deprecated in API level 18 and replaced by getAvailableBlocksLong() and getBlockSizeLong(). |
| NUM01-J. Do not perform bitwise and arithmetic operations on the same data | Applicable | |
| NUM02-J. Ensure that division and modulo operations do not result in divide-by-zero errors | Applicable | |
| NUM03-J. Use integer types that can fully represent the possible range of unsigned data | Applicable | |
| NUM04-J. Do not use floating-point numbers if precise computation is required | Applicable in principle | The use of floating-point is not recommended for performance reasons on Android. |
| NUM05-J. Do not use denormalized numbers | Applicable | |
| NUM06-J. Use the strictfp modifier for floating-point calculation consistency across platforms | Applicable in principle | |
| NUM07-J. Do not attempt comparisons with NaN | Applicable | |
| NUM08-J. Check floating-point inputs for exceptional values | Applicable | |
| NUM09-J. Do not use floating-point variables as loop counters | Applicable | |
| NUM10-J. Do not construct BigDecimal objects from floating-point literals | Applicable | |
| NUM11-J. Do not compare or inspect the string representation of floating-point values | Applicable in principle | Comparing or inspecting the string representation of floating-point values may have unexpected results on Android. |
| NUM12-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data | Applicable | |
| NUM13-J. Avoid loss of precision when converting primitive integers to floating-point | Applicable | |
| OBJ00-J. Limit extensibility of classes and methods with invariants | Applicable | |
| OBJ01-J. Declare data members as private and provide accessible wrapper methods | Applicable | |
| OBJ02-J. Preserve dependencies in subclasses when changing superclasses | Applicable | |
| OBJ03-J. Do not mix generic with nongeneric raw types in new code | Applicable | |
| OBJ04-J. Provide mutable classes with copy functionality to safely allow passing instances to untrusted code | Applicable | |
| OBJ05-J. Defensively copy private mutable class members before returning their references | Applicable | |
| OBJ06-J. Defensively copy mutable inputs and mutable internal components | Applicable | |
| OBJ07-J. Sensitive classes must not let themselves be copied | Applicable | |
| OBJ08-J. Do not expose private members of an outer class from within a nested class | Applicable | |
| OBJ09-J. Compare classes and not class names | Applicable | |
| OBJ10-J. Do not use public static nonfinal variables | Applicable | |
| OBJ11-J. Be wary of letting constructors throw exceptions | Applicable | |
| MET00-J. Validate method arguments | Applicable | |
| MET01-J. Never use assertions to validate method arguments | Applicable in principle | The assert statement is supported on the Dalvik VM but is ignored under the default configuration. Assertions may be enabled by setting the system property "debug.assert" via: adb shell setprop debug.assert 1 or by sending the command line argument "--enable-assert" to the Dalvik VM. |
| MET02-J. Do not use deprecated or obsolete classes or methods | Applicable in principle | The Android SDK also has deprecated or obsolete APIs. Also, there may exist incompatible APIs depending on the SDK version. Therefore, it is recommended that developers refer to the "Android API Difference report" and consider replacing the deprecated APIs. |
| MET03-J. Methods that perform a security check must be declared private or final | Applicable in principle | On Android, System.getSecurityManager() is not used and the use of a Security Manager is not exercised. However, an Android developer can implement security-sensitive methods so the principle may be applicable on Android. |
| MET04-J. Do not increase the accessibility of overridden or hidden methods | Applicable | |
| MET05-J. Ensure that constructors do not call overridable methods | Applicable | |
| MET06-J. Do not invoke overridable methods in clone() | Applicable | |
| MET07-J. Never declare a class method that hides a method declared in a superclass or superinterface | Applicable | |
| MET08-J. Preserve the equality contract when overriding the equals() method | Applicable | |
| MET09-J. Classes that define an equals() method must also define a hashCode() method | Applicable | |
| MET10-J. Follow the general contract when implementing the compareTo() method | Applicable | |
| MET11-J. Ensure that keys used in comparison operations are immutable | Applicable | |
| MET12-J. Do not use finalizers | Applicable | |
| ERR00-J. Do not suppress or ignore checked exceptions | Applicable | |
| ERR01-J. Do not allow exceptions to expose sensitive information | Applicable | |
| ERR02-J. Prevent exceptions while logging data | Applicable | |
| ERR03-J. Restore prior object state on method failure | Applicable | |
| ERR04-J. Do not complete abruptly from a finally block | Applicable | |
| ERR05-J. Do not let checked exceptions escape from a finally block | Applicable | |
| ERR06-J. Do not throw undeclared checked exceptions | Applicable | |
| ERR07-J. Do not throw RuntimeException, Exception, or Throwable | Applicable | |
| ERR08-J. Do not catch NullPointerException or any of its ancestors | Applicable | |
| ERR09-J. Do not allow untrusted code to terminate the JVM | Applicable in principle | On Android, System.exit() should not be used because it will terminate the virtual machine abruptly, ignoring the activity lifecycle which may prevent proper garbage collection. |
| VNA00-J. Ensure visibility when accessing shared primitive variables | Applicable | |
| VNA01-J. Ensure visibility of shared references to immutable objects | Applicable | |
| VNA02-J. Ensure that compound operations on shared variables are atomic | Applicable | |
| VNA03-J. Do not assume that a group of calls to independently atomic methods is atomic | Applicable | |
| VNA04-J. Ensure that calls to chained methods are atomic | Applicable | |
| VNA05-J. Ensure atomicity when reading and writing 64-bit values | Applicable | |
| LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code | Applicable in principle | |
| LCK01-J. Do not synchronize on objects that may be reused | Applicable | |
| LCK02-J. Do not synchronize on the class object returned by getClass() | Applicable | |
| LCK03-J. Do not synchronize on the intrinsic locks of high-level concurrency objects | Applicable | |
| LCK04-J. Do not synchronize on a collection view if the backing collection is accessible | Applicable | |
| LCK05-J. Synchronize access to static fields that can be modified by untrusted code | Applicable in principle | |
| LCK06-J. Do not use an instance lock to protect shared static data | Applicable | |
| LCK07-J. Avoid deadlock by requesting and releasing locks in the same order | Applicable | |
| LCK08-J. Ensure actively held locks are released on exceptional conditions | Applicable | |
| LCK09-J. Do not perform operations that can block while holding a lock | Applicable | |
| LCK10-J. Do not use incorrect forms of the double-checked locking idiom | Applicable | |
| LCK11-J. Avoid client-side locking when using classes that do not commit to their locking strategy | Applicable in principle | |
| THI00-J. Do not invoke Thread.run() | Applicable in principle | Android provides a couple of solutions for threading. The Android Developers Blog's article "Painless threading" discusses those solutions. |
| THI01-J. Do not invoke ThreadGroup methods | Applicable | |
| THI02-J. Notify all waiting threads rather than a single thread | Applicable in principle | |
| THI03-J. Always invoke wait() and await() methods inside a loop | Applicable in principle | |
| THI04-J. Ensure that threads performing blocking operations can be terminated | Applicable in principle | |
| THI05-J. Do not use Thread.stop() to terminate threads | Applicable in principle | On Android, Thread.stop() was deprecated in API level 1. |
| TPS00-J. Use thread pools to enable graceful degradation of service during traffic bursts | Applicable in principle | |
| TPS01-J. Do not execute interdependent tasks in a bounded thread pool | Applicable in principle | |
| TPS02-J. Ensure that tasks submitted to a thread pool are interruptible | Applicable in principle | |
| TPS03-J. Ensure that tasks executing in a thread pool do not fail silently | Applicable in principle | |
| TPS04-J. Ensure ThreadLocal variables are reinitialized when using thread pools | Applicable in principle | |
| TSM00-J. Do not override thread-safe methods with methods that are not thread-safe | Applicable in principle | |
| TSM01-J. Do not let the this reference escape during object construction | Applicable in principle | |
| TSM02-J. Do not use background threads during class initialization | Applicable in principle | |
| TSM03-J. Do not publish partially initialized objects | Applicable | |
| FIO00-J. Do not operate on files in shared directories | Applicable in principle | On Android, the SD card ( /sdcard or /mnt/sdcard ) is shared among multiple applications, thus sensitive files should not be stored on the SD card. |
| FIO01-J. Create files with appropriate access permissions | Applicable in principle | Creating files with weak permissions may allow malicious applications to access the files. |
| FIO02-J. Detect and handle file-related errors | Applicable | |
| FIO03-J. Remove temporary files before termination | Applicable | |
| FIO04-J. Release resources when they are no longer needed | Applicable in principle | The compliant solution (Java SE 7: try-with-resources) is not yet supported at API level 18 (Android 4.3). |
| FIO05-J. Do not expose buffers created using the wrap() or duplicate() methods to untrusted code | Applicable | |
| FIO06-J. Do not create multiple buffered wrappers on a single InputStream | Applicable in principle | |
| FIO07-J. Do not let external processes block on IO buffers | Applicable | |
| FIO08-J. Use an int to capture the return value of methods that read a character or byte | Applicable | <This page was deleted. We can ask for it to be undeleted. Please advise.> |
| FIO09-J. Do not rely on the write() method to output integers outside the range 0 to 255 | Applicable | |
| FIO10-J. Ensure the array is filled when using read() to fill an array | Applicable | |
| FIO11-J. Do not attempt to read raw binary data as character data | Applicable | <The link on the left does not work. Please advise.> |
| FIO12-J. Provide methods to read and write little-endian data | Applicable | |
| FIO13-J. Do not log sensitive information outside a trust boundary | Applicable in principle | DRD04-J. Do not log sensitive information is an Android specific instance of this rule. |
| FIO14-J. Perform proper cleanup at program termination | Applicable in principle | Although most of the code examples are not applicable to the Android platform, the principle is applicable to Android. There are a number of ways to terminate a process on Android: android.app.Activity.finish(), and the related finish... methods, android.app.Activity.moveTaskToBack(boolean flag), android.os.Process.killProcess(int pid), System.exit(). |
| FIO15-J. Do not operate on untrusted file links | Applicable in principle | |
| SER00-J. Enable serialization compatibility during class evolution | Applicable | |
| SER01-J. Do not deviate from the proper signatures of serialization methods | Applicable | |
| SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary | Applicable | |
| SER03-J. Do not serialize unencrypted, sensitive data | Applicable | |
| SER04-J. Do not allow serialization and deserialization to bypass the security manager | Not applicable | The java.security package exists on Android for compatibility purposes only and it should not be used. |
| SER05-J. Do not serialize instances of inner classes | Applicable | |
| SER06-J. Make defensive copies of private mutable components during deserialization | Applicable | |
| SER07-J. Do not use the default serialized form for classes with implementation-defined invariants | Applicable | |
| SER08-J. Minimize privileges before deserializing from a privileged context | Applicable | |
| SER09-J. Do not invoke overridable methods from the readObject() method | Applicable | |
| SER10-J. Avoid memory and resource leaks during serialization | Applicable | |
| SER11-J. Prevent overwriting of externalizable objects | Applicable | |
| SEC00-J. Do not allow privileged blocks to leak sensitive information across a trust boundary | Not applicable | The java.security package exists on Android for compatibility purposes only and it should not be used. |
| SEC01-J. Do not allow tainted variables in privileged blocks | Applicable in principle | The code examples using the java.security package are not applicable to Android but the principle of the rule is applicable to Android apps. |
| SEC02-J. Do not base security checks on untrusted sources | Applicable in principle | The code examples using the java.security package are not applicable to Android but the principle of the rule is applicable to Android apps. |
| SEC03-J. Do not load trusted classes after allowing untrusted code to load arbitrary classes | Applicable in principle | On Android, the use of DexClassLoader or PathClassLoader requires caution. |
| SEC04-J. Protect sensitive operations with security manager checks | Not applicable | The java.security package exists on Android for compatibility purposes only and it should not be used. |
| SEC05-J. Do not use reflection to increase accessibility of classes, methods, or fields | Applicable in principle | Reflection can be used on Android so the rule is applicable. Also the use of reflection may allow a developer to access private Android APIs and so requires caution. |
| SEC06-J. Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar | Not applicable | |
| SEC07-J. Call the superclass's getPermissions() method when writing a custom class loader | Not applicable | The java.security package exists on Android for compatibility purposes only and it should not be used. |
| JN100-J. Define wrappers around native methods | Applicable | |
| JNI02-J. Do not assume object references are constant or unique | Applicable | |
| JNI03-J. Do not use direct pointers to Java objects in JNI code | Applicable in principle | Applicable to API versions 14 and above, with NDK versions 7 and above. |
| JNI04-J. Do not assume that Java strings are null-terminated | Applicable | |
| ENV00-J. Do not sign code that performs only unprivileged operations | Not applicable | The Android system uses code signing as a means of identifying the author of an application and establishing trust relationships between applications, not as a means of granting elevated privileges to code. |
| ENV01-J. Place all security-sensitive code in a single JAR and sign and seal it | Not applicable | java.security.AccessController exists on Android for compatibility purposes only and it should not be used. |
| ENV02-J. Do not trust the values of environment variables | Applicable in principle | On Android, the environment variable user.name is not used and is left blank. However, environment variables exist and are used on Android so the rule is applicable. |
| ENV03-J. Do not grant dangerous combinations of permissions | Not applicable | The java.security package exists on Android for compatibility purposes only and it should not be used. Android uses another permission mechanism for security purposes. |
| ENV04-J. Do not disable bytecode verification | Applicable in principle | Under the default settings, bytecode verification is enabled on the Dalvik VM. To change the settings use the adb shell to set the appropriate system property, for example: adb shell setprop dalvik.vm.dexopt-flags v=a or pass -Xverify:all as an argument to the Dalvik VM. |
| ENV05-J. Do not deploy an application that can be remotely monitored | Not applicable | JVMTI is not supported on the Dalvik VM. |
| MSC00-J. Use SSLSocket rather than Socket for secure data exchange | Applicable | |
| MSC01-J. Do not use an empty infinite loop | Applicable | |
| MSC02-J. Generate strong random numbers | Applicable | |
| MSC03-J. Never hard code sensitive information | Applicable in principle | Hard coded information can be easily obtained on Android by using the apktool to decompile an application or by using dex2jar to convert a dex file to a jar file. |
| MSC04-J. Do not leak memory | Applicable | |
| MSC05-J. Do not exhaust heap space | Applicable | |
| MSC06-J. Do not modify the underlying collection when an iteration is in progress | Applicable | |
| MSC07-J. Prevent multiple instantiations of singleton objects | Applicable | |