ABSTRACT

The program attempts to perform an operation without requesting the required permission.

EXPLANATION

Certain Android operations require permissions. Permissions have to be requested by the application at install time by listing them in the AndroidManifest.xml file via <uses-permission/> tags. If the required permissions are not requested, the operations that require these permissions will fail at runtime. In some cases, a java.lang.SecurityException is thrown back to the application. Other times, operations fail silently without an exception.

Example 1: The following code sends a text based SMS.

sms.sendTextMessage(recipient, null, message, PendingIntent.getBroadcast(SmsMessaging.this, 0, new Intent(ACTION_SMS_SENT), 0), null);


This API requires the android.permission.SEND_SMS permission. If this permission is not requested by the application in the manifest file, the application will fail to send an SMS.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control

[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration

[3] Standards Mapping - FIPS200 - (FISMA) AC

[4] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner Android Permissions Demystified

[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 265

[6] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Improper Access Control - CWE ID 285

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.10

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 7.1.1

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 7.1.1

[10] Using Permissions