Android World Writeable Readable File Permission

ID

kotlin.android_world_writeable_readable_file_permission

Severity

critical

Resource

Access Control

Language

Kotlin

Tags

CWE:732, NIST.SP.800-53, PCI-DSS:6.5.6, PCI-DSS:6.5.8, android

Description

Using world writable or readable permissions on files can lead to unauthorized access or modification of sensitive data.

Rationale

Android applications often require access to files stored on the device. However, incorrectly configured permissions, such as using MODE_WORLD_READABLE or MODE_WORLD_WRITEABLE, can lead to unauthorized file access. These modes allow other applications to read or write the file, compromising data integrity and confidentiality.

import android.content.Context
import java.io.FileOutputStream
import java.io.IOException

fun writeUserProfileInsecure(context: Context) {
    val fileName = "user_profiles.txt"
    val fileContent = "UserName: John Doe\nEmail: john.doe@example.com"

    try {
        context.openFileOutput(fileName, Context.MODE_WORLD_READABLE).use { outputStream -> // FLAW
            outputStream.write(fileContent.toByteArray())
        }
        println("File written successfully with insecure permissions.")
    } catch (e: IOException) {
        e.printStackTrace()
        println("Failed to write the file.")
    }
}

Remediation

To enhance security, use secure file storage methods that grant the least privilege necessary. Avoid using MODE_WORLD_READABLE or MODE_WORLD_WRITEABLE and rely on default modes or Context.MODE_PRIVATE instead, which restrict access to the app that created the file.

import android.content.Context
import java.io.FileOutputStream
import java.io.IOException

fun writeUserProfileSecure(context: Context) {
    val fileName = "user_profiles.txt"
    val fileContent = "UserName: John Doe\nEmail: john.doe@example.com"

    try {
        context.openFileOutput(fileName, Context.MODE_PRIVATE).use { outputStream ->
            outputStream.write(fileContent.toByteArray())
        }
        println("File written successfully with secure permissions.")
    } catch (e: IOException) {
        e.printStackTrace()
        println("Failed to write the file.")
    }
}

References