You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

The following table lists the Java development guidelines in the book, "Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs", and states their applicability to the development of Android applications. Applicable means that the guideline can be applied to general Java platforms including Android. Applicable in principle means that the guideline can be applied to Android but the examples shown in the guideline are not relevant to Android, and in some cases the guideline's full description also needs edits (the latter are provided in the Comments column). Not applicable means that the guideline cannot be applied to Android platforms.

Guideline
Applicable to Android Application Development?
Comments
MSC59-J. Limit the lifetime of sensitive dataApplicable in principleThe non-compliant code example is probably not problematic on Dalvik because each app has its own Dalvik VM and string objects would not be accessible from other apps (?)
FIO52-J. Do not store unencrypted sensitive information on the client sideApplicable 
OBJ56-J. Provide sensitive mutable classes with unmodifiable wrappersUnknown?
SEC55-J. Ensure security-sensitive methods are called with validated argumentsApplicable in principleOn Android, accessControlContext is not available.
IDS56-J. Prevent arbitrary file uploadApplicable in principle 
IDS51-J. Properly encode or escape outputApplicable in principle 
IDS52-J. Prevent code injectionApplicable in principleScriptEngineManager is not included in the Android SDK.
IDS53-J. Prevent XPath InjectionApplicable 
IDS54-J. Prevent LDAP injectionApplicable in principleApplicable in principle for android apps that tries to implement its own LDAP
MET52-J. Do not use the clone method to copy untrusted method parametersApplicable 
MET56-J. Do not use Object.equals() to compare cryptographic keysApplicable 
MSC61-J. Do not use insecure or weak cryptographic algorithmsApplicable 
MSC62-J. Store passwords using a hash functionApplicable 
MSC63-J. Ensure SecureRandom is properly seededApplicable 
OBJ57-J. Do not rely on overridden methods provided by untrusted codeApplicable 
SEC50-J. Avoid granting excess privilegesApplicable in principleThe brief phrase for the guideline applies to Android. However, the current extended-text description for the guideline in the hardcopy book does not apply to Android, because Android does not use AccessController. The following text supplements that section, to make it applicable to Android.: An application should use as few "<uses-permission>"s in AndroidManifest.xml as possible. App developers should also avoid signature/system/dangerous permissions, and having a shared system UID. System API calls are code running as system, and apps which make system API calls require standard permissions the app must specify in the application manifest with "<uses-permission>". http://developer.android.com/guide/topics/manifest/uses-permission-element.html
SEC51-J. Minimize privileged codeApplicable in principleThe brief phrase for the guideline applies to Android. However, the current extended-text description for the guideline in the hardcopy book does not apply to Android, because Android does not use AccessController. The following text supplements that section, to make it applicable to Android.: Minimize the code running as system, with permissions defined in another app’s manifest, or in shared user ID applications. System API calls are code running as system, and apps which make system API calls require standard permissions the app must specify in the application manifest with "<uses-permission>". Only applications which are signed with the same signature and also request the same sharedUserID are granted a shared user ID. Data/files stored by apps which share a user ID are accessible to all those apps.

http://developer.android.com/guide/topics/security/permissions.html

http://developer.android.com/guide/topics/manifest/uses-permission-element.html

SEC52-J. Do not expose methods that use reduced-security checks to untrusted codeNot applicable 
SEC53-J. Define custom security permissions for fine-grained securityApplicable in principleThe brief phrase for the guideline applies to Android. However, the current extended-text description for the guideline in the hardcopy book does not apply to Android. The following text supplements that section, to make it applicable to Android.: Applications are able to define their own new permissions, to restrict access to their components by other applications. Applications indicate the procedure the system should follow when determining whether to grant another app the permission, depending on protectionLevel – e.g., setting protectionLevel to “signature” so it is automatically granted to other applications requesting the permission which are signed with the same key. In addition to defining their own new permissions, applications can declare the requirement for (self-defined, other-app-defined, or system-defined) permissions, to restrict access to their components by other applications.
SEC54-J. Create a secure sandbox using a security managerNot applicable 
SEC57-J. Do not let untrusted code misuse privileges of callback methodsUnknown 
DCL53-J. Minimize the scope of variablesApplicable 
MSC50-J. Minimize the scope of the @SuppressWarnings annotationApplicable 
OBJ51-J. Minimize the accessibility of classes and their membersApplicable 
CON52-J. Document thread-safety and use annotations where applicableApplicable 
MET54-J. Always provide feedback about the resulting value of a methodApplicable 
FIO51-J. Identify files using multiple file attributesApplicable in principleOn Android, better to use openFileOutput/openFileInput for file I/O.
DCL56-J. Do not attach significance to the ordinal associated with an enumApplicable 
NUM52-J. Be aware of numeric promotion behaviorApplicable 
DCL58-J. Enable compile-time type checking of variable arity parameter typesApplicable 
DCL59-J. Do not apply public final to constants whose value might change in later releasesApplicable 
DCL60-J. Avoid cyclic dependencies between packagesApplicable 
ERR51-J. Prefer user-defined exceptions over more general exception typesApplicable 
ERR53-J. Try to gracefully recover from system errorsApplicable 
MSC53-J. Carefully design interfaces before releasing themApplicable 
OBJ52-J. Write garbage-collection-friendly codeApplicable 
DCL51-J. Do not shadow or obscure identifiers in subscopesApplicable 
DCL52-J. Do not declare more than one variable per declarationApplicable 
DCL54-J. Use meaningful symbolic constants to represent literal values in program logicApplicable 
DCL55-J. Properly encode relationships in constant definitionsApplicable 
MET55-J. Return an empty array or collection instead of a null value for methods that return an array or collectionApplicable 
ERR50-J. Use exceptions only for exceptional conditionsApplicable 
ERR54-J. Use a try-with-resources statement to safely handle closeable resourcesNot applicableThe current Android SDK does not support Java7, thus try-with-resource is not available
MSC60-J. Do not use assertions to verify the absence of runtime errorsApplicable in principleOn Android, assert() is ignored by default.
EXP55-J. Use the same type for the second and third operands in conditional expressionsApplicable 
SEC56-J. Do not serialize direct handles to system resourcesApplicable 
MSC58-J. Prefer using iterators over enumerationsApplicable 
OBJ53-J. Do not use direct buffers for short-lived, infrequently used objectsApplicable 
OBJ55-J. Remove short-lived objects from long-lived container objectsApplicable 
DCL50-J. Be careful using visually misleading identifiers and literalsApplicable 
DCL57-J. Avoid ambiguous overloading of variable arity methodsApplicable 
ERR52-J. Avoid in-band error indicatorsApplicable 
EXP51-J. Do not perform assignments in conditional expressionsApplicable 
EXP52-J. Use braces for the body of an if, for, or while statementApplicable 
MSC51-J. Do not place a semicolon immediately following an if, for, or while conditionApplicable 
MSC52-J. Finish every set of statements associated with a case label with a break statementApplicable 
MSC54-J. Avoid inadvertent wrapping of loop countersApplicable 
EXP53-J. Use parentheses for precedence of operationApplicable 
FIO50-J. Do not make assumptions about file creationApplicable in principleOn Android, java.nio.file is not available.
NUM50-J. Convert integers to floating-point for floating-point operationsApplicable 
MET53-J. Ensure that the clone() method calls super.clone()Applicable 
MSC55-J. Use comments consistently and in a readable fashionApplicable 
MSC56-J. Detect and remove superfluous code and valuesApplicable 
MSC57-J. Strive for logical completenessApplicable 
CON50-J. Do not assume that declaring a reference volatile guarantees safe publication of the members of the referenced objectApplicable 
CON51-J. Do not assume that the sleep(), yield(), or getState() methods provide synchronization semanticsApplicable 
NUM51-J. Do not assume that the remainder operator always returns a nonnegative result for integral operandsApplicable 
EXP50-J. Do not confuse abstract object equality with reference equalityApplicable 
EXP54-J. Understand the differences between bitwise and logical operatorsApplicable 
IDS55-J. Understand how escape characters are interpreted when strings are loadedApplicable 
MET50-J. Avoid ambiguous or confusing uses of overloadingApplicable 
MET51-J. Do not use overloaded methods to differentiate between runtime typesApplicable 
OBJ50-J. Never confuse the immutability of a reference with that of the referenced objectApplicable 
FIO53-J. Use the serialization methods writeUnshared() and readUnshared() with careApplicable 
OBJ54-J. Do not attempt to help the garbage collector by setting local reference variables to nullApplicable 

Bibliography

[Long 2013]Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs

CERT Oracle Coding Standard for Java

 

  • No labels