In Android applications, accessing external storage is security-sensitive. For example, it has led in the past to the following vulnerability:

Any application having the permissions WRITE_EXTERNAL_STORAGE or READ_EXTERNAL_STORAGE can access files stored on an external storage, be it a private or a public file.

This rule raises an issue when the following functions are called:

Ask Yourself Whether

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Validate any data read from files.

Avoid writing sensitive information to an external storage. If this is required, make sure that the data is encrypted properly.

Sensitive Code Example

import android.content.Context;
import android.os.Environment;

public class AccessExternalFiles {

    public void accessFiles(Context context) {
        Environment.getExternalStoragePublicDirectory(Environment.DIRECTORY_PICTURES); // Sensitive
        context.getExternalFilesDir(Environment.DIRECTORY_PICTURES); // Sensitive
    }
}

See