ABSTRACT

The program requests permission to write data to Android's external storage.

EXPLANATION

Files written to external storage are readable and writeable by arbitrary programs and users. Programs must never write sensitive information, for instance personally identifiable information, to external storage. When you connect the Android device via USB to a PC or other device it enables USB mass storage mode. Any file written to external storage can be read and modified in this mode. In addition, files in external storage will remain there even after the application that wrote them is uninstalled, further increasing the risk that any sensitive information stored in them will be compromised.

Example 1:The <uses-permission .../%gt; element of AndroidManifest.xml includes the dangerous attribute.

 <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> 


REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control

[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration

[3] Standards Mapping - FIPS200 - (FISMA) AC

[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 265

[5] Data Storage

[6] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Improper Access Control - CWE ID 285

[7] Ruggero Contu, John Girard Put security policies in place for portable storage devices Gartner Research

[8] Using Permissions