Insecure Shared Preferences Permissions

Insecure Shared Preferences Permissions

Risk: medium

Description

Setting Shared Preferences with insecure permissions either world readable or world writable may expose sensitive information stored in shared preferences to arbitrary read or write by a malicious attacker.

Recommendation

Shared Preferences are XML files to store private primitive data in key-value pairs. Data Types include Booleans, floats, ints, longs, and strings.

Shared preferences must never be set with the permission MODE_WORLD_READABLE or MODE_WORLD_READABLE, unless explicitly required for sharing information across apps.

Instead, shared permissions should have the mode MODE_PRIVATE (default mode), this mode means that only the application that created the shared preferences can access/modify them.

Java

  SharedPreferences sharedPreferences = getSharedPreferences("MyPreferences", Context.MODE_PRIVATE);
  SharedPreferences.Editor editor = sharedPreferences.edit();
  editor.putString("language", "en-US");
  editor.apply();

Links

• Shared Preferences (Android Developer)

Standards

• OWASP_MASVS_L1:
  • MSTG_PLATFORM_4
• OWASP_MASVS_L2:
  • MSTG_PLATFORM_4
• CWE_TOP_25:
  • CWE_276
• GDPR:
  • ART_5
  • ART_32
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_7_3
  • REQ_11_3
• OWASP_MASVS_v2_1:
  • MASVS_PLATFORM_1
• SOC2_CONTROLS:
  • CC_2_1
  • CC_4_1
  • CC_6_1
  • CC_7_1
  • CC_7_2
  • CC_7_4
  • CC_7_5