rspec/rules/S5604/xml/rule.adoc

Permissions that can have a large impact on user privacy, marked as https://developer.android.com/reference/android/Manifest.permission[dangerous or "not for use by third-party applications" by Android], should be requested only if they are really necessary to implement critical features of an application.

== Ask Yourself Whether

* It is not sure that ``++dangerous++`` permissions requested by the application are https://developer.android.com/training/permissions/usage-notes#avoid_requesting_unnecessary_permissions[really necessary].
* The users are not https://developer.android.com/training/permissions/usage-notes#be_transparent[clearly informed] why and when dangerous permissions are requested by the application.

You are at risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

It is recommended to carefully review all the permissions and to use ``++dangerous++`` ones only if they are really necessary.

== Sensitive Code Example

In AndroidManifest.xml:

----
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <!-- Sensitive --> 
<uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" /> <!-- Sensitive --> 
----

== Compliant Solution

[source,xml]
----
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <!-- Compliant --> 
----

== See

* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
* https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard] - Platform Interaction Requirements
* https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[OWASP Mobile Top 10 2016 Category M1] - Improper Platform Usage
* https://cwe.mitre.org/data/definitions/250[MITRE, CWE-250] - Execution with Unnecessary Privileges
* https://developer.android.com/training/permissions/usage-notes[developer.android.com] - App permissions best practices
* https://play.google.com/about/privacy-security-deception/permissions/[Google Play] - Privacy, Security, and Deception - Permissions
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]
Disarm the . at the start of a line 2021-02-16 11:54:08 +01:00			`Permissions that can have a large impact on user privacy, marked as https://developer.android.com/reference/android/Manifest.permission[dangerous or "not for use by third-party applications" by Android], should be requested only if they are really necessary to implement critical features of an application.`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
			`== Ask Yourself Whether`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			* It is not sure that ``++dangerous++`` permissions requested by the application are https://developer.android.com/training/permissions/usage-notes#avoid_requesting_unnecessary_permissions[really necessary].
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`* The users are not https://developer.android.com/training/permissions/usage-notes#be_transparent[clearly informed] why and when dangerous permissions are requested by the application.`

			`You are at risk if you answered yes to any of those questions.`

			`== Recommended Secure Coding Practices`

Disarm the . at the start of a line 2021-02-16 11:54:08 +01:00			It is recommended to carefully review all the permissions and to use ``++dangerous++`` ones only if they are really necessary.
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
			`== Sensitive Code Example`

			`In AndroidManifest.xml:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <!-- Sensitive -->`
			`<uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" /> <!-- Sensitive -->`
			`----`

			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,xml]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <!-- Compliant -->`
			`----`

			`== See`

RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control`
add mobile security standards, links and tags to mobile rules and add new CWEv4.4 entries (#112) 2021-06-10 10:04:10 +02:00			`* https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard] - Platform Interaction Requirements`
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[OWASP Mobile Top 10 2016 Category M1] - Improper Platform Usage`
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files 2022-04-07 08:53:59 -05:00			`* https://cwe.mitre.org/data/definitions/250[MITRE, CWE-250] - Execution with Unnecessary Privileges`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`* https://developer.android.com/training/permissions/usage-notes[developer.android.com] - App permissions best practices`
			`* https://play.google.com/about/privacy-security-deception/permissions/[Google Play] - Privacy, Security, and Deception - Permissions`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`endif::env-github,rspecator-view[]`