Android applications can store files on external storage (such as an SD card or shared storage), which is globally readable and writable by other applications.

Why is this an issue?

External storage in Android is globally readable and writable by any application that holds the READ_EXTERNAL_STORAGE or WRITE_EXTERNAL_STORAGE permissions. Files stored there can be read, modified, or deleted by other applications, making external storage unsuitable for sensitive data. External storage can also be physically removed by the user, causing files to become unavailable at any time. This rule raises an issue when an application accesses external storage directories via APIs such as getExternalFilesDir, getExternalStorageDirectory, or equivalent.

What is the potential impact?

Data exposure

A malicious application with storage permissions can read sensitive files stored in external storage, leading to exposure of user credentials, personal data, or application secrets.

Data integrity

An attacker can modify or delete files in external storage, corrupting application data or injecting malicious content that the application will later process.

How to fix it

Code examples

The following code accesses external storage, which is globally readable and writable by other applications and therefore should not be used to store sensitive data.

Noncompliant code example

import android.content.Context;

public class AccessExternalFiles {

    public void accessFiles(Context context) {
        context.getExternalFilesDir(null); // Noncompliant
    }
}

Compliant solution

import android.content.Context;

public class AccessExternalFiles {

    public void accessFiles(Context context) {
        context.getFilesDir();
    }
}

Resources

Documentation

Standards