This appendix contains rules that are specific to the development of Java apps for the Android platform. These rules do not apply to the development of Java programs for other platforms and Android. (Those can be found here.)
Rules
Risk Assessment Summary
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DRD??-J | medium | likely | high | P6 | L2 |
DRD??-J | low | unlikely | medium | P2 | L3 |
DRD??-J | high | probable | medium | P12 | L1 |
Rule | Rule Text | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
DRD??-J | Do not log sensitive information to on-device logs |
|
|
|
|
|
DRD??-J | Do not store sensitive information to unprotected location |
|
|
|
|
|
DRD??-J | When store sensitive data, encrypt it and give proper file permissions |
|
|
|
|
|
| DRD??-J | Ensure there are strong server side controls, or do not count on confidentiality or integrity of data sent to server | |||||
| DRD??-J | Ensure sufficient transport layer protection | |||||
| DRD??-J | Do not store some types of very sensitive data | |||||
| DRD??-J | Do not ignore certification validation errors and then fall back to clear text communications | |||||
| DRD07??-J | Validate all data sent to and received from untrusted third-party applications before processing | |||||
| DRD??-J | No writing to SD card unless data identified as no privileges needed |
ENV05-J. Do not deploy an application that can be remotely monitored The CERT Oracle Secure Coding Standard for Java MSC00-J. Use SSLSocket rather than Socket for secure data exchange