Python
JavaScript
Java
Go
C#
Ansible
AWS CloudFormation Linter
C & C++
Dart Analyze
Docker
Kotlin
KubeLinter
PHP
Ruby
Rust
Scala
Secrets
Shell
Slither
Solhint
SQL
Swift
Terraform
Test coverageAudit: File is set as world readable or writableJAVA-A1039
Critical
Security a01, cwe-200, cwe-732, security, cwe-552, cwe-668, owasp-top-10
This code appears to open a file using Context.openFileOutput(String, int), but sets the mode (the second argument) to be one of Context.MODE_WORLD_READABLE or Context.MODE_WORLD_WRITABLE.
This is dangerous; it will always throw a SecurityException in android versions above jellybean (API level 17), and in the worst case could be abused by a malicious actor to access or manipulate data and even code.
Bad Practice
FileOutputStream fos = openFileOutput("somefile.txt", Context.MODE_WORLD_READABLE);
Recommended
Use the MODE_PRIVATE or MODE_APPEND (if your file already exists) instead to privately create a writable file.
FileOutputStream fos = openFileOutput("somefile.txt", Context.MODE_PRIVATE);
If you need to expose this file to other applications/activities, consider using the content provider API to do so instead.
References
- Android Developer Resources - Creating a Content Provider
- OWASP Top Ten (2021) - Category A01 - Broken Access Control
- CWE-732 - Incorrect Permission Assignment for Critical Resource
- CWE-200 - Information Exposure
- CWE-552 - Files or Directories Accessible to External Parties
- CWE-668 - Exposure of Resource to Wrong Sphere