rspec/rules/S6359/xml/rule.adoc

== Why is this an issue?

Defining a custom permission in the ``android.permission`` namespace may result in an unexpected permission assignment if a newer version of Android adds a permission with the same name. It is recommended to use a namespace specific to the application for custom permissions.


=== Noncompliant code example

[source,xml]
----
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.organization.app">

    <permission
        android:name="android.permission.MYPERMISSION" /> <!-- Noncompliant -->

</manifest>
----

=== Compliant solution

[source,xml]
----
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.organization.app">

    <permission
        android:name="com.organization.app.permission.MYPERMISSION" />

</manifest> 
----

== Resources

* https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard] - Platform Interaction Requirements
* https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[OWASP Mobile Top 10 2016 Category M1] - Improper Platform Usage
* https://cwe.mitre.org/data/definitions/265[MITRE, CWE-265] - Privilege Issues
* https://cwe.mitre.org/data/definitions/732[MITRE, CWE-732] - Incorrect Permission Assignment for Critical Resource
* https://developer.android.com/guide/topics/permissions/defining[developer.android.com] - Define a Custom App Permission


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Use a different namespace for the 'xxx' permission.

'''

endif::env-github,rspecator-view[]