Android applications can store files on external storage (such as an SD card or shared storage), which is globally readable and writable by other applications.
External storage in Android is globally readable and writable by any application that holds the READ_EXTERNAL_STORAGE or
WRITE_EXTERNAL_STORAGE permissions. Files stored there can be read, modified, or deleted by other applications, making external storage
unsuitable for sensitive data. External storage can also be physically removed by the user, causing files to become unavailable at any time. This rule
raises an issue when an application accesses external storage directories via APIs such as getExternalFilesDir,
getExternalStorageDirectory, or equivalent.
A malicious application with storage permissions can read sensitive files stored in external storage, leading to exposure of user credentials, personal data, or application secrets.
An attacker can modify or delete files in external storage, corrupting application data or injecting malicious content that the application will later process.
The following code accesses external storage, which is globally readable and writable by other applications and therefore should not be used to store sensitive data.
import android.content.Context;
public class AccessExternalFiles {
public void accessFiles(Context context) {
context.getExternalFilesDir(null); // Noncompliant
}
}
import android.content.Context;
public class AccessExternalFiles {
public void accessFiles(Context context) {
context.getFilesDir();
}
}