ABSTRACT

An Android activity fails to release the MediaRecorder, MediaPlayer, or AudioRecord object in its onPause(), onStop(), or onDestroy() event handlers.

EXPLANATION

The Android activity allocates a media object that is not released in onPause(), onStop(), or onDestroy() callback. The Android OS invokes these callbacks whenever it needs to send the current activity to the background, or when it needs to temporarily destroy the activity when system resources are low. By failing to release the media object properly, the activity causes subsequent accesses to Android's media hardware (by other applications or even the same application) to fall back to the software implementations, or even fail altogether. Leaving too many unreleased media instances open can lead Android to throw exceptions, effectively causing a denial of service. Furthermore, maintaining possession of the media instance while the activity is paused can negatively impact the user's experience by unnecessarily draining the battery.

Example: The following code describes an Android activity that does not override the base onPause() method, which should be used to release the media object, nor does it properly release it during its shutdown sequence.


public class UnreleasedMediaActivity extends Activity {
private MediaPlayer mp;

@Override
public void onCreate(Bundle state) {
...
}

@Override
public void onRestart() {
...
}

@Override
public void onStop() {
mp.stop();
}
}

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II

[3] Audio Capture, Android Developers

[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 404, CWE ID 619

[5] Media Player, Android Developers

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9

[7] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Risky Resource Management - CWE ID 404