Skip to content

Insecure Shared Preferences Permissions

Insecure Shared Preferences Permissions

Description

Setting Shared Preferences with insecure permissions either world readable or world writable may expose sensitive information stored in shared preferences to arbitrary read or write by a malicious attacker.

Recommendation

Shared Preferences are XML files to store private primitive data in key-value pairs. Data Types include Booleans, floats, ints, longs, and strings.

Shared preferences must be set with the permission MODE_WORLD_READABLE, unless explicitly required for sharing information across apps.

Standards

  • OWASP_MASVS_L1:
    • MSTG_PLATFORM_4
  • OWASP_MASVS_L2:
    • MSTG_PLATFORM_4
  • CWE_TOP_25:
    • CWE_276