ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5604/xml/rule.adoc
Pierre-Loup 770348d041
Avoid OWASP Top 10 security-standard mismatch between metadata and description links (RULEAPI-798) (#3537) 
* Add check for security standard mismatch

* Fix security standard mismatches

* Fix Resources/Standards links for secrets rules

* Fix check

* Fix links and update security standard mapping

* Fix maintanability issue

* Apply review suggestions

* Apply suggestions from code review

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

* Fix typo

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

---------

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2024-01-17 17:20:28 +01:00

51 lines
2.5 KiB
Plaintext
Raw Blame History

Permissions that can have a large impact on user privacy, marked as https://developer.android.com/reference/android/Manifest.permission[dangerous or "not for use by third-party applications" by Android], should be requested only if they are really necessary to implement critical features of an application.
== Ask Yourself Whether
* It is not sure that ``++dangerous++`` permissions requested by the application are https://developer.android.com/training/permissions/usage-notes#avoid_requesting_unnecessary_permissions[really necessary].
* The users are not https://developer.android.com/training/permissions/usage-notes#be_transparent[clearly informed] why and when dangerous permissions are requested by the application.
You are at risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
It is recommended to carefully review all the permissions and to use ``++dangerous++`` ones only if they are really necessary.
== Sensitive Code Example
In AndroidManifest.xml:
----
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <!-- Sensitive -->
<uses-permission android:name="android.permission.ACCESS_MEDIA_LOCATION" /> <!-- Sensitive -->
----
== Compliant Solution
[source,xml]
----
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <!-- Compliant -->
----
== See
* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard - Platform Interaction Requirements]
* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper Platform Usage]
* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges]
* https://developer.android.com/training/permissions/usage-notes[developer.android.com] - App permissions best practices
* https://play.google.com/about/privacy-security-deception/permissions/[Google Play] - Privacy, Security, and Deception - Permissions
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make sure the use of [xxx] permission is necessary.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink