ABSTRACT

The program declares a content provider with the combined read and write access permission.

EXPLANATION

A content provider declared with the combined read and write permission will be accessible to the entities that request either read or write access to the provider. However, in many cases, just like in the case of files on a file system, entities that need read access to the data stored by the provider should no be allowed to modify the data. Setting the permission attribute does not allow to distinguish between data users and interactions that affect the data's integrity.

Example 1: Below is an example of a content provider declared with the combined read and write access permission.

 <provider android:name=".ContentProvider" android:permission="content.permission.READ_AND_WRITE_CONTENT"/> 

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control

[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration

[3] Standards Mapping - FIPS200 - (FISMA) AC

[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 265

[5] Jesse Burns Developing Secure Mobile Applications for Android

[6] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Improper Access Control - CWE ID 285

[7] Path Permission Element

[8] Provider Element

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.10

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 7.1.1

[11] William Enck, Machigar Ongtang, and Patrick McDaniel Understanding Android Security

[12] William Enck and Patrick McDaniel Understanding Android's Security Framework

[13] Using Permissions