Recipe Name:
Insecure Data Storage: Store Sensitive Data in a Private Location (FileOutputStream constructor) in Activity
Description:
Do not store sensitive data in a public location
Level:
warning
Language:
  • java
Tags:
  • security
  • framework specific
  • mobile
  • Android
Documentation

Abstract

Out of Android best practices and secure coding guidelines, recommendations were abstracted that state that sensitive data should be stored in a private location, inaccessible from other applications.

Description

Developers must ensure that sensitive information is written to a private location which is inaccessible by other applications. One solution is to write data to the internal storage of the device instead of the external storage. The following code example shows how to create a file on the internal storage. A flag should be set to ensure that the file can only be accessed by the current application. To ensure good code quality it is recommended to use a meaningful constant for this flag instead of its raw value.

Correct code example:

FileOutputStream fos;
File file = new File(filepath) ;
Context c = this.getApplicationContext();
fos = c.openFileOutput(file.getPath(), android.content.Context.MODE_PRIVATE);
Recipe
id: scw:android:secure-storage-FileOutputStream-Activity
version: 10
metadata:
  name: 'Insecure Data Storage: Store Sensitive Data in a Private Location (FileOutputStream constructor) in Activity'
  shortDescription: Do not store sensitive data in a public location
  level: warning
  language: java
  enabled: true
  comment: ""
  descriptionFile: descriptions/java_android_sensitive_information_store_sensitive_data_in_a_private_location.html
  tags: security;framework specific;mobile;Android
search:
  instanceCreation:
    in:
      class:
        super:
          name: android.app.Activity
    type: java.io.FileOutputStream
availableFixes:
- name: Store data in a private location
  actions:
  - rewrite:
      to: this.getApplicationContext().openFileOutput({{{ arguments.0 }}}.getPath(), android.content.Context.MODE_PRIVATE)
      target: self