(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)

In Android apps, if  the export value of a component is explicitly marked false , if theit should not be possible for other apps (or, more strictly, apps with different userids) to be able to access this data. This can be ensured by creating the file, shared preference or database with MODE_PRIVATE.  MODE_PRIVATE is a constant defined by the class android.content.Context. It may be used as the mode parameter in the methods openFileOutput(), getSharedPreferences(), and openOrCreateDatabase() (which are all also defined in the class android.content.Context). in the app's manifest file, the component is made private. Any application can access components that are not explicitly assigned an access permission.

Noncompliant Code Example

This noncompliant code example shows an application that creates a file that is world readable, and hence not secure.

openFileOutput("someFile", MODE_WORLD_READABLE);

Any application can access components that are not explicitly assigned an access permissionAny application could read the file and access any data stored in it.

Compliant Solution

In this compliant solution the file is created using MODE_PRIVATE, so it cannot be accessed other than by apps with the same userid as the app that created the file export value of a component is explicitly marked false in the app's manifest file, making the component private.

openFileOutput("someFile", MODE_PRIVATE);
 

Risk Assessment

By not limiting access to a component intended to be private, sensitive information or capabilities could be leaked.

Automated Detection

Automatic detection of the mode used when a file, shared preference, or database is created is the labelling of every component in the manifest as exported true or  false would be straightforward. It is not feasible to automatically determine whether the data written to the file, shared preference, or database is sensitivecomponent was meant to be private or not.

Bibliography

...

Image Added Image Added Image Added