Authorization / Untrusted External Storage File Access

Description

Untrusted External Storage File Access is a type of Authorization vulnerability (CWE-862) where an application fails to properly verify the access permissions of external storage files, allowing an attacker to access or modify the data without proper authorization. This is an issue that particularly affects Android and mobile application users, as external storage is often used for storing user data. (OWASP Testing Guide, 2019)

Risk

Untrusted External Storage File Access can have serious security implications, as it can allow an attacker to access or modify sensitive user data, such as contacts, photos, videos, and more. This can lead to identity theft, fraud, and other malicious activities.

Solution

In order to prevent this vulnerability, it is important to ensure that all external storage files are properly secured. The best way to do this is to ensure that all external storage files are properly protected. This can be done by using encryption, restricting access to certain files, and/or using other security measures.

Example

The following code example shows an example of how to restrict access to an external storage file. This example uses the Android API.

File f = new File(context.getExternalFilesDir(null), filename);
f.setReadable(true, false);
f.setWritable(true, false);