(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)
In Android apps, data can be communicated via intents, or data can be written to files, distributed using shared preferences, or stored in databases. In all these cases, if the data is sensitive, it is important to keep the data secure. That is, it should not be possible for other apps (or, more strictly, apps with different userids) to be able to access this data, or for the data to be accessible to other programs or people, if the data owner does not intend that.
Data security (for non-intent communication channels) can be supported by creating the file, shared preference or database with MODE_PRIVATE on internal storage or with MODE_PRIVATE and encrypted (using secure encryption techniques, and using an encryption key only secure parties/apps have) on external storage. MODE_PRIVATE is a constant defined by the class android.content.Context. It may be used as the mode parameter in the methods openFileOutput(), getSharedPreferences(), and openOrCreateDatabase() (which are all also defined in the class android.content.Context).
Static taint flow analysis can be done for a set of apps, to trace data from each source (an input of data which cannot be fully predicted by static analysis, e.g., text input by a user) to reachable sinks (data output to a location that other applications or methods can access, e.g., sending the data over a bluetooth connection). Taint flow analysis helps users understand many possible source to sink flows, including flows that include intents and/or static fields.
Noncompliant Code Example
This noncompliant code example shows an application that creates a file that is world readable, and hence not secure.
openFileOutput("someFile", MODE_WORLD_READABLE);
Any application could read the file and access any data stored in it.
Compliant Solution
In this compliant solution the file is created using MODE_PRIVATE, so it cannot be accessed other than by apps with the same userid as the app that created the file.
openFileOutput("someFile", MODE_PRIVATE);
Risk Assessment
Creating a file, shared preference, or database without setting MODE_PRIVATE can leak sensitive information.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DRD11-J | High | Probable | Medium | P12 | L1 |
Automated Detection
Automatic detection of the mode used when a file, shared preference, or database is created is straightforward. It is not feasible to automatically determine whether data written to an intent, file, shared preference, or database is sensitive.
Automated static taint flow analysis can be done for a set of apps, to trace data from each source (an input of data which cannot be fully predicted by static analysis, e.g., text input by a user) to reachable sinks (data output to a location that other applications or methods can access, e.g., sending the data over a bluetooth connection). Taint flow analysis helps users understand many possible source to sink flows, including flows that include intents and/or static fields. However, we know of no combination of native code analysis (where the native code analysis is not only heuristic, but actually statically analyzes the native code) and reflection analysis with the kind of taint flow analysis which includes intents and static fields. Therefore, current taint flow analyses are not sound: some source-to-sink dataflows can be missed.
Bibliography
| [Android API 2013] | Class Context |
FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. | |
| [Octeau 2013] | Effective inter-component communication mapping in Android with Epicc: An essential step towards holistic security analysis. |
| [Klieber 2014] | Android Taint Flow Analysis for App Sets |
