• Home
• org.sonarsource.xml
• sonar-xml-plugin
• 2.8.1.4006
• source code
• S6361.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.xml.rules.xml.S6361.html Maven / Gradle / Ivy

android:permission is used to set a single permission for both reading and writing data from a content provider. In regard to the
Principle of Least Privilege, client applications that consume the content provider should only have the necessary privileges to complete their tasks.
As android:permission grants both read and write access, it prevents client applications from applying this principle. In practice, it
means client applications that require read-only access will have to ask for more privileges than what they need: the content provider will always
grant read and write together.
Ask Yourself Whether

  
 Some client applications consuming the content provider may only require read permission. 

There is a risk if you answered yes to this question.
Recommended Secure Coding Practices

  
 Avoid using android:permission attribute alone. Instead android:readPermission and
  android:writePermission attributes to define separate read and write permissions. 
  
 Avoid using the same permission for android:readPermission and android:writePermission attributes. 

Sensitive Code Example
<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:permission="com.example.app.PERMISSION"  <!-- Sensitive -->
  android:exported="true"/>

<provider
  android:authorities="com.example.app.Provider"
  android:name="com.example.app.Provider"
  android:readPermission="com.example.app.PERMISSION"  <!-- Sensitive -->
  android:writePermission="com.example.app.PERMISSION" <!-- Sensitive -->
  android:exported="true"/>

Compliant Solution
<provider
  android:authorities="com.example.app.MyProvider"
  android:name="com.example.app.MyProvider"
  android:readPermission="com.example.app.READ_PERMISSION"
  android:writePermission="com.example.app.WRITE_PERMISSION"
  android:exported="true"/>

See

  
 developer.android.com - Implementing
  content provider permissions 
  
 Mobile AppSec Verification
  Standard - Platform Interaction Requirements 
  
 OWASP Mobile Top 10 2016 Category M1 - Improper
  platform usage 
  
 OWASP Mobile Top 10 2016 Category M6 - Insecure
  Authorization 
  
 MITRE, CWE-1220 - Insufficient Granularity of Access Control