Recipe Name:
Data Protection: Avoid Data Exposure - Avoid Device Protected Storage - Compliant
Description:
Compliant
Level:
compliant
Language:
- java
Tags:
- security
- framework specific
- mobile
- Android
- Android security set
Documentation
Abstract
Out of Android best practices and secure coding guidelines, recommendations were abstracted that state that sensitive data should be stored in a private location, inaccessible from other applications.Description
Developers must ensure that sensitive information is written to a private location which is inaccessible by other applications. One solution is to write data to the internal storage of the device instead of the external storage. The following code example shows how to create a file on the internal storage. A flag should be set to ensure that the file can only be accessed by the current application. To ensure good code quality it is recommended to use a meaningful constant for this flag instead of its raw value.Correct code example:
FileOutputStream fos; File file = new File(filepath) ; Context c = this.getApplicationContext(); fos = c.openFileOutput(file.getPath(), android.content.Context.MODE_PRIVATE);
Recipe
id: scw:android:createDeviceProtectedStorageContext
version: 10
metadata:
name: 'Data Protection: Avoid Data Exposure - Avoid Device Protected Storage - Compliant'
shortDescription: Compliant
level: compliant
language: java
enabled: true
descriptionFile: descriptions/java_android_sensitive_information_store_sensitive_data_in_a_private_location.html
tags: security;framework specific;mobile;Android;Android security set
search:
methodcall:
args:
1:
type: java.lang.String
value:
containsUntrustedInput: true
2:
type: int
in:
method:
with:
not:
child:
methodcall:
name: createDeviceProtectedStorageContext
declaration:
type: android.content.Context
name: openFileOutput
declaration:
type: android.content.Context
availableFixes: []