ABSTRACT

The code references the Android database handler after it has already been released.

EXPLANATION

The code attempts to use the Android SQLite database handler after the it has already been closed. Any further references to the handler without re-establishing the database connection will throw an exception, and can cause the application to crash if the exception is not caught.

Example: The following code might be from a program that caches user values temporarily in memory, but can call flushUpdates() to commit the changes to disk. The method properly closes the database handler after writing updates to the database. However, when flushUpdates() is called again, the database object is referenced again before reinitializing it.


public class ReuseDBActivity extends Activity {
private myDBHelper dbHelper;
private SQLiteDatabase db;

@Override
public void onCreate(Bundle state) {
...
db = dbHelper.getWritableDatabase();
...
}
...

private void flushUpdates() {
db.insert(cached_data); // flush cached data
dbHelper.close();
}
...
}

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II

[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 416

[4] Data Storage, Android Developers

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9