Configuration Management / Attribute Requestlegacyexternalstorage Set

Description

Attribute requestLegacyExternalStorage set is a Configuration Management vulnerability, which usually occurs in Android and mobile applications. It is defined in the Common Weakness Enumeration (CWE) directory as "CWE-732: Incorrect Permission Assignment for Critical Resource". This means that the application does not assign the correct permissions to sensitive or critical resources, allowing malicious actors to modify or steal data. The Open Web Application Security Project (OWASP) Testing Guide also identifies this vulnerability as a key security issue.

Risk

The risk associated with this vulnerability is high due to the potential for malicious actors to gain access to sensitive information. If the incorrect permissions are assigned, attackers could potentially gain access to a user's personal information, such as banking details, passwords, or other sensitive data. This could lead to identity theft, financial losses, or other damages.

Solution

To mitigate the risk associated with the vulnerability, it is important to ensure that the correct permissions are assigned to the application. This can be done by using a secure coding approach and following secure coding best practices. Additionally, it is important to regularly audit the application to ensure that the correct permissions are in place.

Example

Below is an example of code with the incorrect permission assignment for a critical resource, taken from the Common Vulnerabilities and Exposures (CVE) directory:

android:requestLegacyExternalStorage="true"

This code assigns the incorrect permission to a critical resource, allowing malicious actors to potentially access sensitive data.