An Android activity fails to release the Camera
instance in its onPause()
, onStop()
, or onDestroy()
event handlers.
The Android activity allocates a Camera
instance that is not released in onPause()
, onStop()
, or onDestroy()
callback. The Android OS invokes these callbacks whenever it needs to send the current activity to the background, or when it needs to temporarily destroy the activity when system resources are low. By failing to release the Camera
object properly, the activity prevents other applications (or even future instances of the same application) from accessing the camera. Furthermore, maintaining possession of the Camera
instance while the activity is paused can negatively impact the user's experience by unnecessarily draining the battery.
Example: The following code describes an Android activity that does not override the base onPause()
method, which should be used to release the Camera
object, nor does it properly release it during its shutdown sequence.
public class UnreleasedCameraActivity extends Activity {
private Camera cam;
@Override
public void onCreate(Bundle state) {
...
}
@Override
public void onRestart() {
...
}
@Override
public void onStop() {
cam.stopPreview();
}
}
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service
[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II
[3] Camera, Android Developers
[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 404, CWE ID 619
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9
[6] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Risky Resource Management - CWE ID 404