...
Failure to enforce security checks in code that performs sensitive operations can lead to malicious tampering of sensitive data.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SEC04-J | High | Probable | Medium | P12 | L1 |
Automated Detection
Identifying sensitive operations requires assistance from the programmer; fully automated identification of sensitive operations is beyond the current state of the art.
Given knowledge of which operations are sensitive, as well as which specific security checks must be enforced for each operation, an automated tool could reasonably enforce the invariant that the sensitive operations are invoked only from contexts where the required security checks have been performed.
| Tool | Version | Checker | Description |
|---|---|---|---|
| Parasoft Jtest |
| CERT.SEC04.SCF | Enforce 'SecurityManager' checks before setting or getting fields |
Android Implementation Details
The java.security package exists on Android for compatibility purposes only, and it should not be used.
Bibliography
[API 2014] |
...
...