Permissive context mode for resources

• Rule ID: java_android_world_readable_writable_mode
• Languages: java
• Source: world_readable_writable_mode.yml

Description

Using permissive context modes like Context.MODE_WORLD_READABLE and Context.MODE_WORLD_WRITEABLE for file permissions exposes your application to significant security risks. These modes allow any application to read and write to your files, respectively. In light of these risks, these constants have been deprecated and removed from newer Android versions.

Remediations

• Do use Context.MODE_PRIVATE for file permissions to ensure that your files are accessible only by your application.

  getSharedPreferences("MyPreferences", Context.MODE_PRIVATE);

• Do utilize a ContentProvider if you need to share data with other applications securely. This approach provides a granular control over who can access your data.

  public class MyContentProvider extends ContentProvider {
      // Implement content provider methods here
  }

• Do not use MODE_WORLD_READABLE or MODE_WORLD_WRITEABLE constants, even in legacy applications. Instead, update your application to use more secure alternatives.

References

• Android Context.MODE_PRIVATE reference
• Android Content Provider reference

Associated CWE

• CWE-276: Incorrect Default Permissions

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_android_world_readable_writable_mode

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_android_world_readable_writable_mode