rspec/rules/S5594/xml/rule.adoc

If an Android component is exported and no permissions are defined then other mobile apps can interact with it and perform potential unauthorized actions.


For instance, an exported content provider can expose sensitive data, if no permissions are defined, to other mobile apps.


It's highly recommended to implement restrictive permissions on exposed components.


== Noncompliant Code Example

In an ``++AndroidManifest.xml++`` file, an exported component is vulnerable when read and write permissions are not defined:

----
<provider
  android:authorities="com.example.myapp.MyProvider1"
  android:name="com.example.myapp.MyProvider1"
  android:exported="true"
  android:readPermission="com.example.myapp.READ_PERMISSION" />  <!-- Noncompliant: write permission is not defined --> 

<provider
  android:authorities="com.example.myapp.MyProvider2"
  android:name="com.example.myapp.MyProvider2"
  android:exported="true"
  android:writePermission="com.example.myapp.WRITE_PERMISSION" />  <!-- Noncompliant: read permission is not defined --> 
----
With an ``++<intent-filter>++`` the component's attibute ``++android:exported++`` default value is "true":

----
<activity android:name="com.example.activity1">  <!-- Noncompliant: permissions are not defined --> 
  <intent-filter>
    <action android:name="com.example.OPEN_UI"/>
    <category android:name="android.intent.category.DEFAULT"/>
  </intent-filter>
</activity>
----


== Compliant Solution

In an ``++AndroidManifest.xml++`` file, if it is not needed to export a component to other apps then set the ``++exported++`` property to ``++false++``:

----
<provider
  android:authorities="com.example.myapp.MyProvider1"
  android:name="com.example.myapp.MyProvider1"
  android:exported="false" />  <!-- Compliant --> 
----

Otherwise, implement permissions (``++protectionLevel++`` https://developer.android.com/guide/topics/manifest/permission-element#plevel[value] must be defined depending on the  sensitivity of the component):

----
<permission android:name="com.example.myapp.A_PERMISSION"
  android:description="@string/perm_desc_A_PERMISSION"
  android:label="@string/perm_label_A_PERMISSION"
  android:protectionLevel="dangerous" />

<provider
  android:authorities="com.example.myapp.MyProvider2"
  android:name="com.example.myapp.MyProvider2"
  android:exported="true"
  android:permission="com.example.myapp.A_PERMISSION"  />  <!-- Compliant --> 

<activity android:name="com.example.activity1"
          android:permission="com.example.myapp.A_PERMISSION">  <!-- Compliant --> 
  <intent-filter>
    <action android:name="com.example.OPEN_UI"/>
    <category android:name="android.intent.category.DEFAULT"/>
  </intent-filter>
</activity>
----

== See

* https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard] - Platform Interaction Requirements
* https://www.owasp.org/index.php/Mobile_Top_10_2016-M2-Insecure_Data_Storage[OWASP Mobile Top 10 2016 Category M2] - Insecure Data Storage
* https://cwe.mitre.org/data/definitions/926.html[MITRE, CWE-926] - Improper Export of Android Application Components
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
* https://developer.android.com/guide/topics/providers/content-provider-creating#Permissions[developer.android.com] - Implementing content provider permissions
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00			`If an Android component is exported and no permissions are defined then other mobile apps can interact with it and perform potential unauthorized actions.`


			`For instance, an exported content provider can expose sensitive data, if no permissions are defined, to other mobile apps.`


			`It's highly recommended to implement restrictive permissions on exposed components.`

Add rules 5000-5999 2020-06-30 12:50:28 +02:00
			`== Noncompliant Code Example`

update 2021-02-12 16:35:24 +01:00			In an ``++AndroidManifest.xml++`` file, an exported component is vulnerable when read and write permissions are not defined:
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`<provider`
			`android:authorities="com.example.myapp.MyProvider1"`
			`android:name="com.example.myapp.MyProvider1"`
update; grammar fixes 2021-02-11 16:56:46 +01:00			`android:exported="true"`
			`android:readPermission="com.example.myapp.READ_PERMISSION" /> <!-- Noncompliant: write permission is not defined -->`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
			`<provider`
			`android:authorities="com.example.myapp.MyProvider2"`
			`android:name="com.example.myapp.MyProvider2"`
			`android:exported="true"`
update 2021-02-12 16:35:24 +01:00			`android:writePermission="com.example.myapp.WRITE_PERMISSION" /> <!-- Noncompliant: read permission is not defined -->`
			`----`
			With an ``++<intent-filter>++`` the component's attibute ``++android:exported++`` default value is "true":

			`----`
			`<activity android:name="com.example.activity1"> <!-- Noncompliant: permissions are not defined -->`
			`<intent-filter>`
			`<action android:name="com.example.OPEN_UI"/>`
			`<category android:name="android.intent.category.DEFAULT"/>`
			`</intent-filter>`
			`</activity>`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`== Compliant Solution`

update 2021-02-12 16:35:24 +01:00			In an ``++AndroidManifest.xml++`` file, if it is not needed to export a component to other apps then set the ``++exported++`` property to ``++false++``:
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`<provider`
update; grammar fixes 2021-02-11 16:56:46 +01:00			`android:authorities="com.example.myapp.MyProvider1"`
			`android:name="com.example.myapp.MyProvider1"`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`android:exported="false" /> <!-- Compliant -->`
			`----`

update 2021-02-12 16:35:24 +01:00			Otherwise, implement permissions (``++protectionLevel++`` https://developer.android.com/guide/topics/manifest/permission-element#plevel[value] must be defined depending on the sensitivity of the component):
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
update; grammar fixes 2021-02-11 16:56:46 +01:00			`<permission android:name="com.example.myapp.A_PERMISSION"`
update 2021-02-12 16:35:24 +01:00			`android:description="@string/perm_desc_A_PERMISSION"`
			`android:label="@string/perm_label_A_PERMISSION"`
update; grammar fixes 2021-02-11 16:56:46 +01:00			`android:protectionLevel="dangerous" />`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
			`<provider`
update; grammar fixes 2021-02-11 16:56:46 +01:00			`android:authorities="com.example.myapp.MyProvider2"`
			`android:name="com.example.myapp.MyProvider2"`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`android:exported="true"`
update; grammar fixes 2021-02-11 16:56:46 +01:00			`android:permission="com.example.myapp.A_PERMISSION" /> <!-- Compliant -->`
update 2021-02-12 16:35:24 +01:00
			`<activity android:name="com.example.activity1"`
			`android:permission="com.example.myapp.A_PERMISSION"> <!-- Compliant -->`
			`<intent-filter>`
			`<action android:name="com.example.OPEN_UI"/>`
			`<category android:name="android.intent.category.DEFAULT"/>`
			`</intent-filter>`
			`</activity>`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
			`== See`

add mobile security standards, links and tags to mobile rules and add new CWEv4.4 entries (#112) 2021-06-10 10:04:10 +02:00			`* https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard] - Platform Interaction Requirements`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00			`* https://www.owasp.org/index.php/Mobile_Top_10_2016-M2-Insecure_Data_Storage[OWASP Mobile Top 10 2016 Category M2] - Insecure Data Storage`
			`* https://cwe.mitre.org/data/definitions/926.html[MITRE, CWE-926] - Improper Export of Android Application Components`
			`* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses`
			`* https://developer.android.com/guide/topics/providers/content-provider-creating#Permissions[developer.android.com] - Implementing content provider permissions`