Attribute hasFragileUserData not set

Attribute hasFragileUserData not set

Risk: hardening

Description

android:hasFragileUserData is an attribute in Android that allows developers to specify whether their app contains fragile user data that needs to be protected.

Fragile user data refers to any data that could potentially cause harm or damage to a user if it's lost, stolen, or misused.

This can include sensitive personal information such as social security numbers, credit card numbers, medical records, and other sensitive data.

This value should be set explicitly in the application to indicate whether the application is handling important user data or not.

If its value is true, then when the user uninstalls the app, a prompt will be shown to the user asking him whether to keep the app's data.

Recommendation

The hasFragileUserData flag can be added to the application AndroidManifest.xml file.

XML

<application android:icon="@drawable/icon" android:hasFragileUserData="true">

Links

• Android Developer - Fragile User Data

Standards

• OWASP_MASVS_L1:
  • MSTG_ARCH_12
• OWASP_MASVS_L2:
  • MSTG_ARCH_12
• PCI_STANDARDS:
  • REQ_3_2
  • REQ_3_5
  • REQ_6_2
• GDPR:
  • ART_5
  • ART_12
  • ART_25
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_4