Recipe Name:
Storage best practices: insecure operating mode
Description:
When using this value other applications will have access to your application's data
Level:
error
Language:
  • java
Tags:
  • security
  • framework specific
  • mobile
  • Android
  • Android security set
Documentation

The Android best practices and secure coding guidelines make recommendations stating sensitive data should be stored in a private location, inaccessible from other applications

Developers must ensure that sensitive information is written to a private location which is inaccessible by other applications. One solution is to write data to the internal storage of the device instead of the external storage.

The following code example shows how to create a file on the internal storage. A flag should be set to ensure that the file can only be accessed by the current application. To ensure good code quality it is recommended to use a meaningful constant for this flag instead of its raw value.

Before
SharedPreferences sharedPreferences =
    getSharedPreferences("customer_data", Context.MODE_WORLD_WRITEABLE);
After
SharedPreferences sharedPreferences =
    getSharedPreferences("customer_data", Context.MODE_PRIVATE);
Resources
Recipe
id: scw:android:storage-operating-mode
version: 10
metadata:
  name: 'Storage best practices: insecure operating mode'
  shortDescription: When using this value other applications will have access to your application's data
  level: error
  language: java
  enabled: true
  comment: ""
  descriptionFile: descriptions/Androidstoragebestpracticesinsecureoperatingmode.html
  tags: security;framework specific;mobile;Android;Android security set
search:
  argument:
    referenceTo:
      name:
        matches: android.content.Context.MODE_WORLD_(READABLE|WRITEABLE)
availableFixes:
- name: Change mode to Context.MODE_PRIVATE
  actions:
  - rewrite:
      to: android.content.Context.MODE_PRIVATE
      target: self