From 221b28a3ab93062e884e4d4c1d8f97b1ba380e7a Mon Sep 17 00:00:00 2001 From: Anubhav Singh Date: Mon, 11 Apr 2022 18:41:15 +0530 Subject: [PATCH] Update oasam-conf-006-improper-file-permissions.md --- .../oasam-conf-006-improper-file-permissions.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/oasam-conf-configuration-and-deploy-management/oasam-conf-006-improper-file-permissions.md b/oasam-conf-configuration-and-deploy-management/oasam-conf-006-improper-file-permissions.md index 9481f8f..52373e2 100644 --- a/oasam-conf-configuration-and-deploy-management/oasam-conf-006-improper-file-permissions.md +++ b/oasam-conf-configuration-and-deploy-management/oasam-conf-006-improper-file-permissions.md @@ -1,17 +1,17 @@ -#OASAM-CONF-006: Improper file permissions +# OASAM-CONF-006: Improper file permissions -##Description: +## Description: Generating files with the “MODE_WORLD_READABLE” permission allows a global file reading, so it is not recommended except if it is a file that does not reveal confidential information. Likewise, it is not recommended to set files with “MODE_WORLD_WRITABLE” permission. An example of dangerous file statementcan be seenbelow: >file = openFileOutput("File_Name", Context.MODE_WORLD_READABLE); -##Risks: +## Risks: Setting global reading permissions reveals the information contained in a file. If the writing permission is enabled, any application could modify the content of such file, extending the attack surface. -##Recommendations: +## Recommendations: It is recommended to generate files with global reading or writing permissions only when it is strictly necessary. In general terms, these guidelines are recommended to follow in order to store data: @@ -25,7 +25,7 @@ It is recommended to generate files with global reading or writing permissions o 5. Network Connection. For storing data on services through the net. In such cases, it is recommended to maximize precautions and use encryption techniques. -##References: +## References: 1. Flaw 20 of “42+ Best practices in secure mobile development for iOS and Android” 2. Page 22 of “iSEC Securing Android Apps”