ABSTRACT

The program attempts to perform an operation without requesting the required permission.

EXPLANATION

Certain Android operations require permissions. Permissions have to be requested by the application at install time by listing them in the AndroidManifest.xml file via <uses-permission/> tags. If the required permissions are not requested, the operations that require these permissions will fail at runtime. In some cases, a java.lang.SecurityException is thrown back to the application. Other times, operations fail silently without an exception.

Example 1: The AndroidManifest.xml file below specifies a receiver with an intent filter for intents with the android.intent.action.PHONE_STATE action.


<receiver android:name=".ReceiverTest" android:permission="test.permission" android:exported="true">
<intent-filter>
<action android:name="android.intent.action.PHONE_STATE" />
</intent-filter>
</receiver>


Receiving this intent requires the android.permission.READ_PHONE_STATE permission. If this permission is not requested by the application in the manifest file, the application will fail to receive the intent.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control

[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration

[3] Standards Mapping - FIPS200 - (FISMA) AC

[4] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner Android Permissions Demystified

[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 265

[6] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Improper Access Control - CWE ID 285

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.10

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 7.1.1

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 7.1.1

[10] Using Permissions