ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6361/xml/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

77 lines
3.0 KiB
Plaintext
Raw Blame History

``++android:permission++`` is used to set a single permission for both reading and writing data from a content provider.
In regard to the Principle of Least Privilege, client applications that consume the content provider should only have the necessary privileges to complete their tasks. As ``++android:permission++`` grants both read and write access, it prevents client applications from applying this principle.
In practice, it means client applications that require read-only access will have to ask for more privileges than what they need: the content provider will always grant read and write together.
== Ask Yourself Whether
* Some client applications consuming the content provider may only require read permission.
There is a risk if you answered yes to this question.
== Recommended Secure Coding Practices
* Avoid using ``++android:permission++`` attribute alone. Instead ``++android:readPermission++`` and ``++android:writePermission++`` attributes to define separate read and write permissions.
* Avoid using the same permission for ``++android:readPermission++`` and ``++android:writePermission++`` attributes.
== Sensitive Code Example
[source,xml]
----
<provider
android:authorities="com.example.app.Provider"
android:name="com.example.app.Provider"
android:permission="com.example.app.PERMISSION" <!-- Sensitive -->
android:exported="true"/>
----
[source,xml]
----
<provider
android:authorities="com.example.app.Provider"
android:name="com.example.app.Provider"
android:readPermission="com.example.app.PERMISSION" <!-- Sensitive -->
android:writePermission="com.example.app.PERMISSION" <!-- Sensitive -->
android:exported="true"/>
----
== Compliant Solution
[source,xml]
----
<provider
android:authorities="com.example.app.MyProvider"
android:name="com.example.app.MyProvider"
android:readPermission="com.example.app.READ_PERMISSION"
android:writePermission="com.example.app.WRITE_PERMISSION"
android:exported="true"/>
----
== See
* https://developer.android.com/guide/topics/providers/content-provider-creating#Permissions[developer.android.com] - Implementing content provider permissions
* OWASP - https://mobile-security.gitbook.io/masvs/security-requirements/0x11-v6-interaction_with_the_environment[Mobile AppSec Verification Standard - Platform Interaction Requirements]
* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage[Mobile Top 10 2016 Category M1 - Improper platform usage]
* OWASP - https://owasp.org/www-project-mobile-top-10/2016-risks/m6-insecure-authorization[Mobile Top 10 2016 Category M6 - Insecure Authorization]
* CWE - https://cwe.mitre.org/data/definitions/1220[CWE-1220 - Insufficient Granularity of Access Control]
ifdef::env-github,rspecator-view[]
== Implementation Specification
(visible only on this page)
== Message
Make sure using a single permission for read and write is safe here.
== Highlighting
* The ``++android:permission++`` attribute and its associated value.
* The whole ``++<content>++`` opening tag
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink