Insecure Shared Preferences Permissions

Insecure Shared Preferences Permissions

Risk: medium

Description

Setting Shared Preferences with insecure permissions either world readable or world writable may expose sensitive information stored in shared preferences to arbitrary read or write by a malicious attacker.

Recommendation

Shared Preferences are XML files to store private primitive data in key-value pairs. Data Types include Booleans, floats, ints, longs, and strings.

Shared preferences must be set with the permission MODE_WORLD_READABLE, unless explicitly required for sharing information across apps.

Links

• Shared Preferences (Android Developer)

Standards

• OWASP_MASVS_L1:
  • MSTG_PLATFORM_4
• OWASP_MASVS_L2:
  • MSTG_PLATFORM_4