``++android:permission++`` is used to set a single permission for both reading and writing data from a content provider.
In regard to the Principle of Least Privilege, client applications that consume the content provider should only have the necessary privileges to complete their tasks. As ``++android:permission++`` grants both read and write access, it prevents client applications from applying this principle.
In practice, it means client applications that require read-only access will have to ask for more privileges than what they need: the content provider will always grant read and write together.


== Ask Yourself Whether

* Some client applications consuming the content provider may only require read permission.

There is a risk if you answered yes to this question.


== Recommended Secure Coding Practices

* Avoid using ``++android:permission++`` attribute alone. Instead ``++android:readPermission++`` and ``++android:writePermission++`` attributes to define separate read and write permissions.
* Avoid using the same permission for ``++android:readPermission++`` and ``++android:writePermission++`` attributes.


== Sensitive Code Example

[source,xml]
----
<provider 
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:permission="com.example.app.PERMISSION"  <!-- Sensitive -->
  android:exported="true"/>
----

[source,xml]
----
<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:readPermission="com.example.app.PERMISSION"  <!-- Sensitive -->
  android:writePermission="com.example.app.PERMISSION" <!-- Sensitive -->
  android:exported="true"/>
----

== Compliant Solution

[source,xml]
----
<provider 
  android:authorities="com.example.app.MyProvider"
  android:name="com.example.app.MyProvider"
  android:readPermission="com.example.app.READ_PERMISSION"
  android:writePermission="com.example.app.WRITE_PERMISSION"
  android:exported="true"/>
----


== See

* https://developer.android.com/guide/topics/providers/content-provider-creating#Permissions[developer.android.com] - Implementing content provider permissions
* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard - Platform Interaction Requirements]
* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper platform usage]
* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m6-insecure-authorization[Mobile Top 10 2016 Category M6 - Insecure Authorization]
* CWE - https://cwe.mitre.org/data/definitions/1220[CWE-1220 - Insufficient Granularity of Access Control]


ifdef::env-github,rspecator-view[]
== Implementation Specification
(visible only on this page)

== Message

Make sure using a single permission for read and write is safe here.


== Highlighting

* The ``++android:permission++`` attribute and its associated value.
* The whole ``++<content>++`` opening tag

endif::env-github,rspecator-view[]