Files were found to be world-writable during dynamic analysis. Although it is possible that the permissions on the respective file(s) were changed later during runtime, the issue is that at some point in between, another process could have opened the file and write it. If the other process didn't close the file, the opened file descriptor could still be used to write the file's content. Because of this, it is possible that manually checking the file permissions on a local device may not yield the same result as shown here. There are also no guarantees that this access mode will remain on a file, such as when it goes through a backup and restore, so code that relies on this can fail unexpectedly. For instances where the file permissions are set correctly later at runtime, it is recommended to find the initial source of the violation in the code, and use less permissive permissions when making file calls.
It is possible that files shown in evidence do not specifically have world-writable permissions, however if they are stored on the SD card then they can automatically inherit them by default.
Steps to Reproduce
This test monitors the application at runtime for calls to files stored on the device. It will flag any files that are world-writable, or made world-writable by the way they are opened by the app.
Business Impact
This app is storing data in files that are accessible and modifiable by any other app on the device. Any sensitive information contained in those files is exposed, and apps can potentially modify application data to change its behavior.
Remediation Resources
Creating world-writable files is very dangerous, likely to cause security holes in applications, and is strongly discouraged. Instead, applications should use more formal mechanism for interactions such as Content Providers. Details and code snippets can be found at https://developer.android.com/guide/topics/providers/content-provider-creating.
The evidence table give the location of all files that were found to be world-writable at any time while the app was running.
Finding Description
Files were found to be world-writable during dynamic analysis. Although it is possible that the permissions on the respective file(s) were changed later during runtime, the issue is that at some point in between, another process could have opened the file and write it. If the other process didn't close the file, the opened file descriptor could still be used to write the file's content. Because of this, it is possible that manually checking the file permissions on a local device may not yield the same result as shown here. There are also no guarantees that this access mode will remain on a file, such as when it goes through a backup and restore, so code that relies on this can fail unexpectedly. For instances where the file permissions are set correctly later at runtime, it is recommended to find the initial source of the violation in the code, and use less permissive permissions when making file calls.
It is possible that files shown in evidence do not specifically have world-writable permissions, however if they are stored on the SD card then they can automatically inherit them by default.
Steps to Reproduce
This test monitors the application at runtime for calls to files stored on the device. It will flag any files that are world-writable, or made world-writable by the way they are opened by the app.
Business Impact
This app is storing data in files that are accessible and modifiable by any other app on the device. Any sensitive information contained in those files is exposed, and apps can potentially modify application data to change its behavior.
Remediation Resources
Creating world-writable files is very dangerous, likely to cause security holes in applications, and is strongly discouraged. Instead, applications should use more formal mechanism for interactions such as Content Providers. Details and code snippets can be found at https://developer.android.com/guide/topics/providers/content-provider-creating.
The evidence table give the location of all files that were found to be world-writable at any time while the app was running.
Risk and Regulatory Information
Severity: medium CVSS: 5
Application
See more detail in the NowSecure Report