Authorization / Insecure Shared Preferences Permissions

AndroidMobile App

Description

Insecure Shared Preferences Permissions is a type of Authorization vulnerability as identified in the Common Weakness Enumeration (CWE) directory that affects Android and Mobile App systems. It occurs when access to shared preferences is misconfigured, allowing malicious actors to access and modify shared preferences without authentication or authorization. This can cause the data in the shared preferences to be exposed and even modified, allowing damaging effects such as data manipulation and data leakage. The OWASP Testing Guide provides a set of tests to detect this vulnerability in Android and Mobile App systems.

Risk

Insecure Shared Preferences Permissions can have severe implications for Android and Mobile App systems. Attackers can modify shared preferences without authorization, allowing them to access and modify sensitive data such as user credentials, payment information, and other sensitive data. This can allow attackers to gain full control of a user's account, making it possible to commit fraud, steal data, and even take control of a user's device.

Solution

The best way to prevent Insecure Shared Preferences Permissions is to ensure that access to shared preferences is properly configured. It is recommended that shared preferences should be encrypted and stored in a secure location, and access should only be granted to authorized users. Additionally, permission checks should be implemented to ensure that users only have access to the shared preferences they are allowed to access.

Example

An example from the CVE directory is CVE-2020-7885. This vulnerability affects an Android application that allows unauthorized access to the shared preferences of the app. The vulnerability is triggered when a malicious actor accesses the app's shared preferences without authentication or authorization. The malicious actor can then modify the shared preferences, allowing them to access and modify sensitive data. The following code snippet demonstrates how the vulnerability can be exploited:

// Get SharedPreferences
SharedPreferences prefs = getSharedPreferences("MyPrefs", Context.MODE_WORLD_READABLE);

// Get data from SharedPreferences
String data = prefs.getString("data", "");

// Modify data
prefs.edit().putString("data", "modifiedData".apply();

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.