# Permissive context mode for resources ## Overview * **Rule ID**: `java_android_world_readable_writable_mode` * **Applicable Languages**: Java * **Weakness ID**: CWE-732 ## Description Utilizing permissive context modes such as `Context.MODE_WORLD_READABLE` and `Context.MODE_WORLD_WRITEABLE` for file permissions exposes your application to serious security vulnerabilities. These modes allow any application to read and write your files, respectively. As a result of these risks, these constants have been deprecated and removed from recent Android versions. ## Risks * **Unauthorized Data Access**: Any application installed on the device can read sensitive data stored by your app when using `MODE_WORLD_READABLE`. * **Data Modification**: With `MODE_WORLD_WRITEABLE`, any app can modify your app's files, potentially leading to data corruption or unauthorized changes. * **Privacy Violations**: Exposure of sensitive user information stored in files, such as personal data or credentials, to other apps on the device.- * **Security Vulnerabilities**: Increased susceptibility to data breaches and exploitation by malicious apps due to the lack of access control. ## Remediation Guidelines * **Use** `Context.MODE_PRIVATE` for file permissions to restrict file access to your application only. ```java getSharedPreferences("MyPreferences", Context.MODE_PRIVATE); ``` * **Use a ContentProvider** for secure data sharing with other applications, enabling controlled access management. ```java public class MyContentProvider extends ContentProvider { // Implement content provider methods here } ``` * **Avoid using** `MODE_WORLD_READABLE` or `MODE_WORLD_WRITEABLE` constants, even in legacy applications, and transition to more secure file access methods. ## References * [**Android Context.MODE\_PRIVATE reference**](https://developer.android.com/reference/android/content/Context#MODE_PRIVATE) * [**Android Content Provider reference**](https://developer.android.com/reference/android/content/ContentProvider) * [**CWE-732: Incorrect Permission Assignment for Critical Resource**](https://cwe.mitre.org/data/definitions/732.html) ## Configuration To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sec1.io/user-docs/4-sast/2-java/permissive-context-mode-for-resources.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.