Recipe Name:
Storage best practices: insecure operating mode
Description:
When using this value other applications will have access to your application's data
Level:
error
Language:
- java
Tags:
- security
- framework specific
- mobile
- Android
- Android security set
Documentation
The Android best practices and secure coding guidelines make recommendations stating sensitive data should be stored in a private location, inaccessible from other applications
Developers must ensure that sensitive information is written to a private location which is inaccessible by other applications. One solution is to write data to the internal storage of the device instead of the external storage.
The following code example shows how to create a file on the internal storage. A flag should be set to ensure that the file can only be accessed by the current application. To ensure good code quality it is recommended to use a meaningful constant for this flag instead of its raw value.
BeforeSharedPreferences sharedPreferences =
getSharedPreferences("customer_data", Context.MODE_WORLD_WRITEABLE);
After
SharedPreferences sharedPreferences =
getSharedPreferences("customer_data", Context.MODE_PRIVATE);
Resources
Recipe
id: scw:android:storage-operating-mode
version: 10
metadata:
name: 'Storage best practices: insecure operating mode'
shortDescription: When using this value other applications will have access to your application's data
level: error
language: java
enabled: true
comment: ""
descriptionFile: descriptions/Androidstoragebestpracticesinsecureoperatingmode.html
tags: security;framework specific;mobile;Android;Android security set
search:
argument:
referenceTo:
name:
matches: android.content.Context.MODE_WORLD_(READABLE|WRITEABLE)
availableFixes:
- name: Change mode to Context.MODE_PRIVATE
actions:
- rewrite:
to: android.content.Context.MODE_PRIVATE
target: self