AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure File Modifiers

The malicious applications can read sensitive data written by the target application

Severity

High

Fix Cost

Low

Trust Level

Medium

Android applications can write data into the files, store data with shared preferences (application specific preferences file) or databases. When the data that gets communicated through with these methods is sensitive, only privileged applications (such as the application that produces this data) should access the target data.

MODE_PRIVATE is an access modifier defined in Android that can be used in storage APIs to make sure that the file produced is private. That is to say it can only be accessed by the application that produces it.

On the other hand when an application uses insecure modes of access modifiers, such as MODE_WORLD_READABLE or MODE_WORLD_WRITEABLE then unauthorized applications, too, find the opportunity to access these files.

            
import android.content.Context;
…

SharedPreferences sharedpreferences = getSharedPreferences(PREF, Context.MODE_WORLD_READABLE);
SharedPreferences.Editor editor = sharedpreferences.edit();
editor.putString(Name, name);
editor.putString(Phone, phone);
editor.putString(Email, email);
editor.commit();
                
            

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!