7.1 Implement File Permissions Carefully
World readable files can act as a vector for your program to leak sensitive information. World writeable files may expose your app by letting an attacker influence its behavior by overwriting data that is read by your app from storage. Examples include settings files and stored login information.
Do not create files with permissions of MODEWORLD_READABLE or MODE_WORLD_WRITABLE unless it is required as any app would be able to read or write the file even though it may be stored in the app’s private data directory. _Note: Both of these modes were deprecated in Android API level 17 (see http://developer.android.com/reference/android/content/Context.html). At this time, use of either mode will trigger a
SecurityExceptionthough the restriction is not yet fully enforced.
Do not use modes such as 0666, 0777, and 0664 with the
syscallsaccepting a file mode (
creat, etc) _Note: Android 7.0 (API level 24) and higher sets all private directories (
data/data) to restricted access -- mode 0700 (see https://developer.android.com/about/versions/nougat/android-7.0-changes.html.
- OWASP Mobile Top 10: M1 - Improper Platform Usage
- CWE: CWE-280 - Improper Handling of Insufficient Permissions or Privileges