You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)

In Android apps, if  the export value of a component is explicitly marked false in the app's manifest file, the component is made private. Any application can access components that are not explicitly assigned an access permission.

Noncompliant Code Example

This noncompliant code example shows an application that creates a file that is world readable, and hence not secure.

 

Any application can access components that are not explicitly assigned an access permission.

Compliant Solution

In this compliant solution the export value of a component is explicitly marked false in the app's manifest file, making the component private.

 

Risk Assessment

By not limiting access to a component intended to be private, sensitive information or capabilities could be leaked.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DRD16-J

 Medium

 Probable

 Medium

 P8

 L2

Automated Detection

Automatic detection of the labelling of every component in the manifest as exported true or  false would be straightforward. It is not feasible to automatically determine whether the component was meant to be private or not.

Bibliography

Android API 2013Class Context
Enck 2009Understanding Android Security

 

 

 

 

  • No labels