In Android applications, accessing external storage is security-sensitive. For example, it has led in the past to the following vulnerability:
Any application having the permissions WRITE_EXTERNAL_STORAGE
or READ_EXTERNAL_STORAGE
can access files stored on an
external storage, be it a private or a public file.
This rule raises an issue when the following functions are called:
android.os.Environment.getExternalStorageDirectory
android.os.Environment.getExternalStoragePublicDirectory
android.content.Context.getExternalFilesDir
android.content.Context.getExternalFilesDirs
android.content.Context.getExternalMediaDirs
android.content.Context.getExternalCacheDir
android.content.Context.getExternalCacheDirs
android.content.Context.getObbDir
android.content.Context.getObbDirs
There is a risk if you answered yes to any of those questions.
Validate any data read from files.
Avoid writing sensitive information to an external storage. If this is required, make sure that the data is encrypted properly.
import android.content.Context; import android.os.Environment; public class AccessExternalFiles { public void accessFiles(Context context) { Environment.getExternalStoragePublicDirectory(Environment.DIRECTORY_PICTURES); // Sensitive context.getExternalFilesDir(Environment.DIRECTORY_PICTURES); // Sensitive } }