ABSTRACT

The program requests permission to make and receive telephone calls.

EXPLANATION

Permissions to make and receive telephone calls must not be requested without cause, nor granted without consideration. Malicious software exploits these permissions to call premium-pay numbers, thereby stealing money from unwary users.

Example 1: The <uses-permission .../> element in the AndroidManifest.xml below includes a telephone permission attribute.

 <uses-permission android:name="android.permission.CALL_PHONE"/> 


REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control

[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration

[3] Standards Mapping - FIPS200 - (FISMA) AC

[4] Mark L. Murphy Beginning Android 2 Apress

[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 265

[6] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Improper Access Control - CWE ID 285

[7] Using Permissions

[8] Who creates malware and why?