Permissive context mode for resources

Overview

• Rule ID: java_android_world_readable_writable_mode

• Applicable Languages: Java

• Weakness ID: CWE-732

Description

Utilizing permissive context modes such as Context.MODE_WORLD_READABLE and Context.MODE_WORLD_WRITEABLE for file permissions exposes your application to serious security vulnerabilities. These modes allow any application to read and write your files, respectively. As a result of these risks, these constants have been deprecated and removed from recent Android versions.

Risks

• Unauthorized Data Access: Any application installed on the device can read sensitive data stored by your app when using MODE_WORLD_READABLE.

• Data Modification: With MODE_WORLD_WRITEABLE, any app can modify your app's files, potentially leading to data corruption or unauthorized changes.

• Privacy Violations: Exposure of sensitive user information stored in files, such as personal data or credentials, to other apps on the device.-

• Security Vulnerabilities: Increased susceptibility to data breaches and exploitation by malicious apps due to the lack of access control.

Remediation Guidelines

• Use Context.MODE_PRIVATE for file permissions to restrict file access to your application only.

getSharedPreferences("MyPreferences", Context.MODE_PRIVATE);

• Use a ContentProvider for secure data sharing with other applications, enabling controlled access management.

public class MyContentProvider extends ContentProvider {
    // Implement content provider methods here
}

• Avoid using MODE_WORLD_READABLE or MODE_WORLD_WRITEABLE constants, even in legacy applications, and transition to more secure file access methods.

References

• Android Context.MODE_PRIVATE reference

• Android Content Provider reference

• CWE-732: Incorrect Permission Assignment for Critical Resource

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL