[{"data":1,"prerenderedAt":1657},["ShallowReactive",2],{"global-navigation":3,"page-\u002Fandroid-secure-coding-standard\u002Frules\u002Fcomponent-security-cps\u002Fdrd01-x":28,"surround-\u002Fandroid-secure-coding-standard\u002Frules\u002Fcomponent-security-cps\u002Fdrd01-x":1085,"sidebar-android-secure-coding-standard":1094},[4,8],{"title":5,"path":6,"_path":6,"fromAppConfig":7},"Home","\u002F",true,{"title":9,"path":10,"children":11,"_path":27,"fromAppConfig":7},"Coding Standards","\u002Fcoding-standards\u002F",[12,15,18,21,24],{"title":13,"path":14},"Android Coding Standard","\u002Fandroid-secure-coding-standard\u002F",{"title":16,"path":17},"C Coding Standard","\u002Fsei-cert-c-coding-standard\u002F",{"title":19,"path":20},"C++ Coding Standard","\u002Fsei-cert-cpp-coding-standard\u002F",{"title":22,"path":23},"Java Coding Standard","\u002Fsei-cert-oracle-coding-standard-for-java\u002F",{"title":25,"path":26},"Perl Coding Standard","\u002Fsei-cert-perl-coding-standard\u002F","\u002Fcoding-standards",{"id":29,"title":30,"body":31,"description":1072,"extension":1073,"meta":1074,"navigation":7,"path":1081,"seo":1082,"stem":1083,"__hash__":1084},"content\u002F3.android-secure-coding-standard\u002F3.rules\u002F04.component-security-cps\u002F2.drd01-x.md","DRD01-X. Limit the accessibility of an app's sensitive content provider",{"type":32,"value":33,"toc":1057},"minimark",[34,38,47,50,63,67,78,141,144,147,153,195,204,208,214,218,221,227,232,269,273,276,774,778,781,825,829,832,898,902,905,908,911,914,918,930,934,992,996,1029,1032,1053],[35,36,30],"h1",{"id":37},"drd01-x-limit-the-accessibility-of-an-apps-sensitive-content-provider",[39,40,41,42,46],"p",{},"The ",[43,44,45],"code",{},"ContentProvider"," class provides a mechanism for managing and sharing data with other applications. When sharing a provider’s data with other apps, access control should be carefully implemented to prohibit unauthorized access to sensitive data.",[39,48,49],{},"There are three ways to limit access to the content provider:",[51,52,53,57,60],"ul",{},[54,55,56],"li",{},"Public",[54,58,59],{},"Private",[54,61,62],{},"Restricted access",[64,65,56],"h2",{"id":66},"public",[39,68,69,70,73,74,77],{},"By specifying the ",[43,71,72],{},"android:exported"," attribute in the AndroidManifest.xml file, a content provider is made public to other applications. For Android applications before API Level 16, a content provider is public unless explicitly specified ",[43,75,76],{},"android:exported=\"false\""," . For example,",[79,80,85],"pre",{"className":81,"code":82,"language":83,"meta":84,"style":84},"language-java shiki shiki-themes github-light github-dark monokai","\u003Cprovider android:exported=\"true\" android:name=\"MyContentProvider\" android:authorities=\"com.example.mycontentprovider\" \u002F>\n","java","",[43,86,87],{"__ignoreMap":84},[88,89,92,96,100,103,106,109,113,116,118,121,123,126,128,130,133,135,138],"span",{"class":90,"line":91},"line",1,[88,93,95],{"class":94},"sC2Qs","\u003C",[88,97,99],{"class":98},"sMOD_","provider android",[88,101,102],{"class":94},":",[88,104,105],{"class":98},"exported",[88,107,108],{"class":94},"=",[88,110,112],{"class":111},"sstjo","\"true\"",[88,114,115],{"class":98}," android",[88,117,102],{"class":94},[88,119,120],{"class":98},"name",[88,122,108],{"class":94},[88,124,125],{"class":111},"\"MyContentProvider\"",[88,127,115],{"class":98},[88,129,102],{"class":94},[88,131,132],{"class":98},"authorities",[88,134,108],{"class":94},[88,136,137],{"class":111},"\"com.example.mycontentprovider\"",[88,139,140],{"class":94}," \u002F>\n",[39,142,143],{},"If a content provider is to be made public, the data stored in a provider may be accessed from other applications. Therefore, it should be designed to handle only nonsensitive information.",[64,145,59],{"id":146},"private",[39,148,149,150,152],{},"You can make your provider private by specifying the ",[43,151,72],{}," attribute in the AndroidManifest.xml file. From API Level 17 and later, a content provider is private if you do not specify the attribute explicitly. For example,",[79,154,156],{"className":81,"code":155,"language":83,"meta":84,"style":84},"\u003Cprovider android:exported=\"false\" android:name=\"MyContentProvider\" android:authorities=\"com.example.mycontentprovider\" \u002F>\n",[43,157,158],{"__ignoreMap":84},[88,159,160,162,164,166,168,170,173,175,177,179,181,183,185,187,189,191,193],{"class":90,"line":91},[88,161,95],{"class":94},[88,163,99],{"class":98},[88,165,102],{"class":94},[88,167,105],{"class":98},[88,169,108],{"class":94},[88,171,172],{"class":111},"\"false\"",[88,174,115],{"class":98},[88,176,102],{"class":94},[88,178,120],{"class":98},[88,180,108],{"class":94},[88,182,125],{"class":111},[88,184,115],{"class":98},[88,186,102],{"class":94},[88,188,132],{"class":98},[88,190,108],{"class":94},[88,192,137],{"class":111},[88,194,140],{"class":94},[39,196,197,198,200,201,203],{},"If you do not need to share a content provider with other applications, it should be declared ",[43,199,76],{}," in the manifest file. Note, however, in API Level 8 and earlier, even if you explicitly declare ",[43,202,76],{}," , your content provider is accessible from other apps.",[64,205,207],{"id":206},"restricted-access","Restricted Access",[39,209,210],{},[211,212,213],"strong",{},"\u003C\u003C@TODO: flesh out more details, write these rules.>>",[64,215,217],{"id":216},"noncompliant-code-example","Noncompliant Code Example",[39,219,220],{},"MovatwiTouch, a Twitter client application, used a content provider to manage Twitter’s consumer key, consumer secret, and access token. However, the content provider was made public, which enabled applications installed on users’ devices to access this sensitive information.",[39,222,223,224,226],{},"The following entry in the AndroidManifest.xml does not have the ",[43,225,72],{}," attribute, which means, before API Level 16, the content provider is made public:",[228,229,231],"h3",{"id":230},"androidmanifestxml","AndroidManifest.xml",[233,234,236],"code-block",{"quality":235},"bad",[79,237,239],{"className":81,"code":238,"language":83,"meta":84,"style":84},"\u003Cprovider android:name=\".content.AccountProvider\" android:authorities=\"jp.co.vulnerable.accountprovider\" \u002F>\n",[43,240,241],{"__ignoreMap":84},[88,242,243,245,247,249,251,253,256,258,260,262,264,267],{"class":90,"line":91},[88,244,95],{"class":94},[88,246,99],{"class":98},[88,248,102],{"class":94},[88,250,120],{"class":98},[88,252,108],{"class":94},[88,254,255],{"class":111},"\".content.AccountProvider\"",[88,257,115],{"class":98},[88,259,102],{"class":94},[88,261,132],{"class":98},[88,263,108],{"class":94},[88,265,266],{"class":111},"\"jp.co.vulnerable.accountprovider\"",[88,268,140],{"class":94},[228,270,272],{"id":271},"proof-of-concept","Proof of Concept",[39,274,275],{},"The following code shows how this could be exploited:",[79,277,279],{"className":81,"code":278,"language":83,"meta":84,"style":84},"\u002F\u002F check whether movatwi is installed.\ntry {\n  ApplicationInfo info = getPackageManager().getApplicationInfo(\"jp.co.vulnerable\", 0);[cjl5] \n} catch (NameNotFoundException e) {\n  Log.w(TAG, \"the app is not installed.\");\n  return;\n}\n\u002F\u002F extract account data through content provider\nUri uri = Uri.parse(\"content:\u002F\u002Fjp.co.vulnerable.accountprovider\");\nCursor cur = getContentResolver().query(uri, null, null, null, null);[cjl6] \nStringBuilder sb = new StringBuilder();\nif (cur != null) {\n  int ri = 0;\n  while (cur.moveToNext()) {\n    ++ri;\n    Log.i(TAG, String.format(\"row[%d]:\", ri));\n    sb.setLength(0);\n    for (int i = 0; i \u003C cur.getColumnCount(); ++i) {\n      String column = cur.getColumnName(i);\n      String value = cur.getString(i);\n      if (value != null) {\n        value = value.replaceAll(\"[\\r\\n]\", \"\");\n      }\n      Log.i(TAG, String.format(\"\\t%s:\\t%s\", column, value));\n    }\n  }\n} else {\n  Log.i(TAG, \"Can't get the app information.\");\n}\n",[43,280,281,287,296,334,356,374,383,389,395,419,459,479,496,513,528,537,560,575,613,632,649,664,696,702,733,739,745,755,769],{"__ignoreMap":84},[88,282,283],{"class":90,"line":91},[88,284,286],{"class":285},"s8-w5","\u002F\u002F check whether movatwi is installed.\n",[88,288,290,293],{"class":90,"line":289},2,[88,291,292],{"class":94},"try",[88,294,295],{"class":98}," {\n",[88,297,299,303,306,308,312,315,318,321,324,327,331],{"class":90,"line":298},3,[88,300,302],{"class":301},"sk8M1","  ApplicationInfo",[88,304,305],{"class":98}," info ",[88,307,108],{"class":94},[88,309,311],{"class":310},"srTi1"," getPackageManager",[88,313,314],{"class":98},"().",[88,316,317],{"class":310},"getApplicationInfo",[88,319,320],{"class":98},"(",[88,322,323],{"class":111},"\"jp.co.vulnerable\"",[88,325,326],{"class":98},", ",[88,328,330],{"class":329},"s7F3e","0",[88,332,333],{"class":98},");[cjl5] \n",[88,335,337,340,343,346,349,353],{"class":90,"line":336},4,[88,338,339],{"class":98},"} ",[88,341,342],{"class":94},"catch",[88,344,345],{"class":98}," (",[88,347,348],{"class":301},"NameNotFoundException",[88,350,352],{"class":351},"sTHNf"," e",[88,354,355],{"class":98},") {\n",[88,357,359,362,365,368,371],{"class":90,"line":358},5,[88,360,361],{"class":98},"  Log.",[88,363,364],{"class":310},"w",[88,366,367],{"class":98},"(TAG, ",[88,369,370],{"class":111},"\"the app is not installed.\"",[88,372,373],{"class":98},");\n",[88,375,377,380],{"class":90,"line":376},6,[88,378,379],{"class":94},"  return",[88,381,382],{"class":98},";\n",[88,384,386],{"class":90,"line":385},7,[88,387,388],{"class":98},"}\n",[88,390,392],{"class":90,"line":391},8,[88,393,394],{"class":285},"\u002F\u002F extract account data through content provider\n",[88,396,398,401,404,406,409,412,414,417],{"class":90,"line":397},9,[88,399,400],{"class":301},"Uri",[88,402,403],{"class":98}," uri ",[88,405,108],{"class":94},[88,407,408],{"class":98}," Uri.",[88,410,411],{"class":310},"parse",[88,413,320],{"class":98},[88,415,416],{"class":111},"\"content:\u002F\u002Fjp.co.vulnerable.accountprovider\"",[88,418,373],{"class":98},[88,420,422,425,428,430,433,435,438,441,444,446,448,450,452,454,456],{"class":90,"line":421},10,[88,423,424],{"class":301},"Cursor",[88,426,427],{"class":98}," cur ",[88,429,108],{"class":94},[88,431,432],{"class":310}," getContentResolver",[88,434,314],{"class":98},[88,436,437],{"class":310},"query",[88,439,440],{"class":98},"(uri, ",[88,442,443],{"class":329},"null",[88,445,326],{"class":98},[88,447,443],{"class":329},[88,449,326],{"class":98},[88,451,443],{"class":329},[88,453,326],{"class":98},[88,455,443],{"class":329},[88,457,458],{"class":98},");[cjl6] \n",[88,460,462,465,468,470,473,476],{"class":90,"line":461},11,[88,463,464],{"class":301},"StringBuilder",[88,466,467],{"class":98}," sb ",[88,469,108],{"class":94},[88,471,472],{"class":94}," new",[88,474,475],{"class":310}," StringBuilder",[88,477,478],{"class":98},"();\n",[88,480,482,485,488,491,494],{"class":90,"line":481},12,[88,483,484],{"class":94},"if",[88,486,487],{"class":98}," (cur ",[88,489,490],{"class":94},"!=",[88,492,493],{"class":329}," null",[88,495,355],{"class":98},[88,497,499,503,506,508,511],{"class":90,"line":498},13,[88,500,502],{"class":501},"sq6CD","  int",[88,504,505],{"class":98}," ri ",[88,507,108],{"class":94},[88,509,510],{"class":329}," 0",[88,512,382],{"class":98},[88,514,516,519,522,525],{"class":90,"line":515},14,[88,517,518],{"class":94},"  while",[88,520,521],{"class":98}," (cur.",[88,523,524],{"class":310},"moveToNext",[88,526,527],{"class":98},"()) {\n",[88,529,531,534],{"class":90,"line":530},15,[88,532,533],{"class":94},"    ++",[88,535,536],{"class":98},"ri;\n",[88,538,540,543,546,549,552,554,557],{"class":90,"line":539},16,[88,541,542],{"class":98},"    Log.",[88,544,545],{"class":310},"i",[88,547,548],{"class":98},"(TAG, String.",[88,550,551],{"class":310},"format",[88,553,320],{"class":98},[88,555,556],{"class":111},"\"row[%d]:\"",[88,558,559],{"class":98},", ri));\n",[88,561,563,566,569,571,573],{"class":90,"line":562},17,[88,564,565],{"class":98},"    sb.",[88,567,568],{"class":310},"setLength",[88,570,320],{"class":98},[88,572,330],{"class":329},[88,574,373],{"class":98},[88,576,578,581,583,586,589,591,593,596,598,601,604,607,610],{"class":90,"line":577},18,[88,579,580],{"class":94},"    for",[88,582,345],{"class":98},[88,584,585],{"class":501},"int",[88,587,588],{"class":98}," i ",[88,590,108],{"class":94},[88,592,510],{"class":329},[88,594,595],{"class":98},"; i ",[88,597,95],{"class":94},[88,599,600],{"class":98}," cur.",[88,602,603],{"class":310},"getColumnCount",[88,605,606],{"class":98},"(); ",[88,608,609],{"class":94},"++",[88,611,612],{"class":98},"i) {\n",[88,614,616,619,622,624,626,629],{"class":90,"line":615},19,[88,617,618],{"class":301},"      String",[88,620,621],{"class":98}," column ",[88,623,108],{"class":94},[88,625,600],{"class":98},[88,627,628],{"class":310},"getColumnName",[88,630,631],{"class":98},"(i);\n",[88,633,635,637,640,642,644,647],{"class":90,"line":634},20,[88,636,618],{"class":301},[88,638,639],{"class":98}," value ",[88,641,108],{"class":94},[88,643,600],{"class":98},[88,645,646],{"class":310},"getString",[88,648,631],{"class":98},[88,650,652,655,658,660,662],{"class":90,"line":651},21,[88,653,654],{"class":94},"      if",[88,656,657],{"class":98}," (value ",[88,659,490],{"class":94},[88,661,493],{"class":329},[88,663,355],{"class":98},[88,665,667,670,672,675,678,680,683,686,689,691,694],{"class":90,"line":666},22,[88,668,669],{"class":98},"        value ",[88,671,108],{"class":94},[88,673,674],{"class":98}," value.",[88,676,677],{"class":310},"replaceAll",[88,679,320],{"class":98},[88,681,682],{"class":111},"\"[",[88,684,685],{"class":329},"\\r\\n",[88,687,688],{"class":111},"]\"",[88,690,326],{"class":98},[88,692,693],{"class":111},"\"\"",[88,695,373],{"class":98},[88,697,699],{"class":90,"line":698},23,[88,700,701],{"class":98},"      }\n",[88,703,705,708,710,712,714,716,719,722,725,727,730],{"class":90,"line":704},24,[88,706,707],{"class":98},"      Log.",[88,709,545],{"class":310},[88,711,548],{"class":98},[88,713,551],{"class":310},[88,715,320],{"class":98},[88,717,718],{"class":111},"\"",[88,720,721],{"class":329},"\\t",[88,723,724],{"class":111},"%s:",[88,726,721],{"class":329},[88,728,729],{"class":111},"%s\"",[88,731,732],{"class":98},", column, value));\n",[88,734,736],{"class":90,"line":735},25,[88,737,738],{"class":98},"    }\n",[88,740,742],{"class":90,"line":741},26,[88,743,744],{"class":98},"  }\n",[88,746,748,750,753],{"class":90,"line":747},27,[88,749,339],{"class":98},[88,751,752],{"class":94},"else",[88,754,295],{"class":98},[88,756,758,760,762,764,767],{"class":90,"line":757},28,[88,759,361],{"class":98},[88,761,545],{"class":310},[88,763,367],{"class":98},[88,765,766],{"class":111},"\"Can't get the app information.\"",[88,768,373],{"class":98},[88,770,772],{"class":90,"line":771},29,[88,773,388],{"class":98},[64,775,777],{"id":776},"compliant-solution","Compliant Solution",[39,779,780],{},"The following entry in the AndroidManifest.xml file makes the content provider private so that other apps cannot access the data:",[233,782,784],{"quality":783},"good",[79,785,787],{"className":81,"code":786,"language":83,"meta":84,"style":84},"\u003Cprovider android:name=\".content.AccountProvider\" android:exported=\"false\" android:authorities=\"jp.co.vulnerable.accountprovider\" \u002F>\n",[43,788,789],{"__ignoreMap":84},[88,790,791,793,795,797,799,801,803,805,807,809,811,813,815,817,819,821,823],{"class":90,"line":91},[88,792,95],{"class":94},[88,794,99],{"class":98},[88,796,102],{"class":94},[88,798,120],{"class":98},[88,800,108],{"class":94},[88,802,255],{"class":111},[88,804,115],{"class":98},[88,806,102],{"class":94},[88,808,105],{"class":98},[88,810,108],{"class":94},[88,812,172],{"class":111},[88,814,115],{"class":98},[88,816,102],{"class":94},[88,818,132],{"class":98},[88,820,108],{"class":94},[88,822,266],{"class":111},[88,824,140],{"class":94},[64,826,828],{"id":827},"risk-assessment","Risk Assessment",[39,830,831],{},"Declaring a public content provider can leak sensitive information to malicious apps.",[833,834,835,836,835,866],"table",{},"\n  ",[837,838,839,840,835],"thead",{},"\n    ",[841,842,843,844,843,848,843,851,843,854,843,857,843,860,843,863,839],"tr",{},"\n      ",[845,846,847],"th",{},"Rule",[845,849,850],{},"Severity",[845,852,853],{},"Likelihood",[845,855,856],{},"Detectable",[845,858,859],{},"Repairable",[845,861,862],{},"Priority",[845,864,865],{},"Level",[867,868,839,869,835],"tbody",{},[841,870,843,871,843,875,843,878,843,881,843,884,843,886,843,893,839],{},[872,873,874],"td",{},"DRD01-J",[872,876,877],{},"medium",[872,879,880],{},"probable",[872,882,883],{},"No",[872,885,883],{},[872,887,889],{"style":888},"color: #27ae60;",[890,891,892],"b",{},"P4",[872,894,895],{"style":888},[890,896,897],{},"L3",[64,899,901],{"id":900},"automated-detection","Automated Detection",[39,903,904],{},"Tool",[39,906,907],{},"Version",[39,909,910],{},"Checker",[39,912,913],{},"Description",[64,915,917],{"id":916},"related-vulnerabilities","Related Vulnerabilities",[51,919,920],{},[54,921,922,929],{},[923,924,928],"a",{"href":925,"rel":926},"https:\u002F\u002Fjvn.jp\u002Fen\u002Fjp\u002FJVN90289505\u002F",[927],"nofollow","JVN#90289505"," Content provider in MovatwiTouch fails to restrict access permissions",[64,931,933],{"id":932},"related-guidelines","Related Guidelines",[833,935,938,947],{"className":936},[937],"wrapped",[939,940,941,945],"colgroup",{},[942,943],"col",{"style":944},"width: 50%",[942,946],{"style":944},[867,948,949],{},[841,950,953,965],{"className":951},[952],"odd",[872,954,955],{},[39,956,957,964],{},[958,959,960],"em",{},[923,961,963],{"href":962},"http:\u002F\u002Fwww.jssec.org\u002Fdl\u002Fandroid_securecoding_en.pdf","Android Application Secure Design \u002F Secure Coding Guidebook"," by JSSEC",[872,966,967],{},[39,968,969,970,973,974,976,977,979,980,982,983,985,986,988,989,991],{},"4.3. Creating\u002Fusing content providers",[971,972],"br",{},"\n4.3.1.1. Creating\u002Fusing private content providers",[971,975],{},"\n4.3.1.3. Creating\u002Fusing partner content providers",[971,978],{},"\n4.3.1.4. Creating\u002Fusing in-house content providers",[971,981],{},"\n4.3.1.5. Creating\u002Fusing temporary permit content providers",[971,984],{},"\n4.3.2.1. Content provider that Is used only in an application cannot be created in android 2.2 (API Level 8) or earlier",[971,987],{},"\n4.3.2.2. Content provider that is used only in an application must be set as private",[971,990],{},"\n4.3.2.4. Use an in-house defined signature permission after verifying that it is defined by an in-house application",[64,993,995],{"id":994},"bibliography","Bibliography",[833,997,998,1006],{},[837,999,1000],{},[841,1001,1002,1004],{},[845,1003],{},[845,1005],{},[867,1007,1008],{},[841,1009,1010,1026],{},[872,1011,1012,1017,1018,1017,1022],{},[923,1013,1016],{"href":1014,"rel":1015},"https:\u002F\u002Fwww.securecoding.cert.org\u002Fconfluence\u002Fwww.jssec.org\u002Fdl\u002Fandroid_securecoding.pdf",[927],"["," ",[923,1019,1021],{"href":1020},"\u002Fsei-cert-oracle-coding-standard-for-java\u002Fback-matter\u002Frule-aa-references#RuleAA.References-JSSEC14","JSSEC 2014",[923,1023,1025],{"href":1014,"rel":1024},[927],"]",[872,1027,1028],{},"4.3. Creating\u002FUsing a Content Provider (2013\u002F4\u002F1 edition)",[1030,1031],"hr",{},[39,1033,1034,1017,1041,1017,1047],{},[923,1035,1037],{"href":1036},"https:\u002F\u002Fwww.securecoding.cert.org\u002Fconfluence\u002Fpages\u002Fviewpage.action?pageId=114851866",[1038,1039],"img",{"src":1040},"\u002Fattachments\u002F88487702\u002F88497198.png",[923,1042,1044],{"href":1043},"https:\u002F\u002Fwww.securecoding.cert.org\u002Fconfluence\u002Fpages\u002Fviewpage.action?pageId=111509535",[1038,1045],{"src":1046},"\u002Fattachments\u002F88487702\u002F88497196.png",[923,1048,1050],{"href":1049},"https:\u002F\u002Fwww.securecoding.cert.org\u002Fconfluence\u002Fdisplay\u002Fjava\u002FDRD02-J.+Do+not+allow+WebView+to+access+sensitive+local+resource+through+file+scheme?showChildren=false&showComments=false",[1038,1051],{"src":1052},"\u002Fattachments\u002F88487702\u002F88497197.png",[1054,1055,1056],"style",{},"html pre.shiki code .sC2Qs, html code.shiki .sC2Qs{--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sMOD_, html code.shiki .sMOD_{--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sstjo, html code.shiki .sstjo{--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .s8-w5, html code.shiki .s8-w5{--shiki-default:#6A737D;--shiki-dark:#6A737D;--shiki-sepia:#88846F}html pre.shiki code .sk8M1, html code.shiki .sk8M1{--shiki-default:#24292E;--shiki-default-font-style:inherit;--shiki-dark:#E1E4E8;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .srTi1, html code.shiki .srTi1{--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .s7F3e, html code.shiki .s7F3e{--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sTHNf, html code.shiki .sTHNf{--shiki-default:#E36209;--shiki-default-font-style:inherit;--shiki-dark:#FFAB70;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}html pre.shiki code .sq6CD, html code.shiki .sq6CD{--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}",{"title":84,"searchDepth":289,"depth":289,"links":1058},[1059,1060,1061,1062,1066,1067,1068,1069,1070,1071],{"id":66,"depth":289,"text":56},{"id":146,"depth":289,"text":59},{"id":206,"depth":289,"text":207},{"id":216,"depth":289,"text":217,"children":1063},[1064,1065],{"id":230,"depth":298,"text":231},{"id":271,"depth":298,"text":272},{"id":776,"depth":289,"text":777},{"id":827,"depth":289,"text":828},{"id":900,"depth":289,"text":901},{"id":916,"depth":289,"text":917},{"id":932,"depth":289,"text":933},{"id":994,"depth":289,"text":995},"The ContentProvider class provides a mechanism for managing and sharing data with other applications. When sharing a provider’s data with other apps, access control should be carefully implemented to prohibit unauthorized access to sensitive data.","md",{"tags":1075},[1076,1077,1078,1079,1080],"rule","drd","xml","android-applicable","cps","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcomponent-security-cps\u002Fdrd01-x",{"title":30,"description":1072},"3.android-secure-coding-standard\u002F3.rules\u002F04.component-security-cps\u002F2.drd01-x","3t_ONGvWFhAcMlGSCF2zO2ICpMLtXpUc09u8gkL77-o",[1086,1090],{"title":1087,"path":1088,"stem":1089,"children":-1},"Component Security (CPS)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcomponent-security-cps","3.android-secure-coding-standard\u002F3.rules\u002F04.component-security-cps\u002F1.index",{"title":1091,"path":1092,"stem":1093,"children":-1},"DRD07-X. Protect exported services with strong permissions","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcomponent-security-cps\u002Fdrd07-x","3.android-secure-coding-standard\u002F3.rules\u002F04.component-security-cps\u002F3.drd07-x",[1095],{"title":1096,"path":1097,"stem":1098,"children":1099},"SCI CERT Android Secure Coding Standard","\u002Fandroid-secure-coding-standard","3.android-secure-coding-standard\u002F1.index",[1100,1101,1151,1408,1505,1567,1591],{"title":1096,"path":1097,"stem":1098},{"title":1102,"path":1103,"stem":1104,"children":1105},"Front Matter","\u002Fandroid-secure-coding-standard\u002Ffront-matter","3.android-secure-coding-standard\u002F2.front-matter\u002F1.index",[1106,1107,1129],{"title":1102,"path":1103,"stem":1104},{"title":1108,"path":1109,"stem":1110,"children":1111},"Guidelines for Wiki Contributors","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fguidelines-for-wiki-contributors","3.android-secure-coding-standard\u002F2.front-matter\u002F2.guidelines-for-wiki-contributors\u002F1.index",[1112,1113,1117,1121,1125],{"title":1108,"path":1109,"stem":1110},{"title":1114,"path":1115,"stem":1116},"Deprecations","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fguidelines-for-wiki-contributors\u002Fdeprecations","3.android-secure-coding-standard\u002F2.front-matter\u002F2.guidelines-for-wiki-contributors\u002F2.deprecations",{"title":1118,"path":1119,"stem":1120},"Editing Automated Detection Information","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fguidelines-for-wiki-contributors\u002Fediting-automated-detection-information","3.android-secure-coding-standard\u002F2.front-matter\u002F2.guidelines-for-wiki-contributors\u002F3.editing-automated-detection-information",{"title":1122,"path":1123,"stem":1124},"Editing-Related Guidelines","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fguidelines-for-wiki-contributors\u002Fediting-related-guidelines","3.android-secure-coding-standard\u002F2.front-matter\u002F2.guidelines-for-wiki-contributors\u002F4.editing-related-guidelines",{"title":1126,"path":1127,"stem":1128},"Rules versus Recommendations","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fguidelines-for-wiki-contributors\u002Frules-versus-recommendations","3.android-secure-coding-standard\u002F2.front-matter\u002F2.guidelines-for-wiki-contributors\u002F5.rules-versus-recommendations",{"title":1130,"path":1131,"stem":1132,"children":1133},"Introduction","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fintroduction","3.android-secure-coding-standard\u002F2.front-matter\u002F3.introduction\u002F01.index",[1134,1135,1139,1143,1147],{"title":1130,"path":1131,"stem":1132},{"title":1136,"path":1137,"stem":1138},"Introduction to Android-Only Rules","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fintroduction\u002Fintroduction-to-android-only-rules","3.android-secure-coding-standard\u002F2.front-matter\u002F3.introduction\u002F02.introduction-to-android-only-rules",{"title":1140,"path":1141,"stem":1142},"Introduction to C Rules and Recommendations","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fintroduction\u002Fintroduction-to-c-rules-and-recommendations","3.android-secure-coding-standard\u002F2.front-matter\u002F3.introduction\u002F03.introduction-to-c-rules-and-recommendations",{"title":1144,"path":1145,"stem":1146},"Introduction to Java Recommendations","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fintroduction\u002Fintroduction-to-java-recommendations","3.android-secure-coding-standard\u002F2.front-matter\u002F3.introduction\u002F04.introduction-to-java-recommendations",{"title":1148,"path":1149,"stem":1150},"Introduction to Java Rules","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fintroduction\u002Fintroduction-to-java-rules","3.android-secure-coding-standard\u002F2.front-matter\u002F3.introduction\u002F05.introduction-to-java-rules",{"title":1152,"path":1153,"stem":1154,"children":1155},"Rules","\u002Fandroid-secure-coding-standard\u002Frules","3.android-secure-coding-standard\u002F3.rules\u002F01.index",[1156,1157,1161,1165,1178,1182,1204,1208,1212,1216,1220,1250,1254,1258,1262,1280,1284,1288,1292,1296,1322,1336,1340,1344,1366,1370,1374,1378,1382,1386,1390],{"title":1152,"path":1153,"stem":1154},{"title":1158,"path":1159,"stem":1160},"Application Programming Interfaces (API)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fapplication-programming-interfaces-api","3.android-secure-coding-standard\u002F3.rules\u002F02.application-programming-interfaces-api",{"title":1162,"path":1163,"stem":1164},"Characters and String (STR)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcharacters-and-string-str","3.android-secure-coding-standard\u002F3.rules\u002F03.characters-and-string-str",{"title":1087,"path":1088,"stem":1089,"children":1166},[1167,1168,1169,1170,1174],{"title":1087,"path":1088,"stem":1089},{"title":30,"path":1081,"stem":1083},{"title":1091,"path":1092,"stem":1093},{"title":1171,"path":1172,"stem":1173},"DRD08-J. Always canonicalize a URL received by a content provider","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcomponent-security-cps\u002Fdrd08-j","3.android-secure-coding-standard\u002F3.rules\u002F04.component-security-cps\u002F4.drd08-j",{"title":1175,"path":1176,"stem":1177},"DRD09. Restrict access to sensitive activities","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcomponent-security-cps\u002Fdrd09-restrict-access-to-sensitive-activities","3.android-secure-coding-standard\u002F3.rules\u002F04.component-security-cps\u002F5.drd09-restrict-access-to-sensitive-activities",{"title":1179,"path":1180,"stem":1181},"Concurrency (CON)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fconcurrency-con","3.android-secure-coding-standard\u002F3.rules\u002F05.concurrency-con",{"title":1183,"path":1184,"stem":1185,"children":1186},"Cryptography (CRP)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcryptography-crp","3.android-secure-coding-standard\u002F3.rules\u002F06.cryptography-crp\u002F1.index",[1187,1188,1192,1196,1200],{"title":1183,"path":1184,"stem":1185},{"title":1189,"path":1190,"stem":1191},"DRD17-J. Do not use the Android cryptographic security provider encryption default for AES","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcryptography-crp\u002Fdrd17-j","3.android-secure-coding-standard\u002F3.rules\u002F06.cryptography-crp\u002F2.drd17-j",{"title":1193,"path":1194,"stem":1195},"DRD18. Do not use the default behavior in a cryptographic library if it does not use recommended practices","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcryptography-crp\u002Fdrd18-do-not-use-the-default-behavior-in-a-cryptographic-library-if-it-does-not-use-recommended-practices","3.android-secure-coding-standard\u002F3.rules\u002F06.cryptography-crp\u002F3.drd18-do-not-use-the-default-behavior-in-a-cryptographic-library-if-it-does-not-use-recommended-practices",{"title":1197,"path":1198,"stem":1199},"DRD24. Do not bundle OAuth security-related protocol logic or sensitive data into a relying party's app","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcryptography-crp\u002Fdrd24-do-not-bundle-oauth-security-related-protocol-logic-or-sensitive-data-into-a-relying-partys-app","3.android-secure-coding-standard\u002F3.rules\u002F06.cryptography-crp\u002F4.drd24-do-not-bundle-oauth-security-related-protocol-logic-or-sensitive-data-into-a-relying-partys-app",{"title":1201,"path":1202,"stem":1203},"DRD25. Use constant-time encryption","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcryptography-crp\u002Fdrd25-use-constant-time-encryption","3.android-secure-coding-standard\u002F3.rules\u002F06.cryptography-crp\u002F5.drd25-use-constant-time-encryption",{"title":1205,"path":1206,"stem":1207},"Declarations and Initialization (DCL)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fdeclarations-and-initialization-dcl","3.android-secure-coding-standard\u002F3.rules\u002F07.declarations-and-initialization-dcl",{"title":1209,"path":1210,"stem":1211},"Environment (ENV)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fenvironment-env","3.android-secure-coding-standard\u002F3.rules\u002F08.environment-env",{"title":1213,"path":1214,"stem":1215},"Error Handling (ERR)","\u002Fandroid-secure-coding-standard\u002Frules\u002Ferror-handling-err","3.android-secure-coding-standard\u002F3.rules\u002F09.error-handling-err",{"title":1217,"path":1218,"stem":1219},"Expressions (EXP)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fexpressions-exp","3.android-secure-coding-standard\u002F3.rules\u002F10.expressions-exp",{"title":1221,"path":1222,"stem":1223,"children":1224},"File I\u002FO and Logging (FIO)","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffile-io-and-logging-fio","3.android-secure-coding-standard\u002F3.rules\u002F11.file-io-and-logging-fio\u002F1.index",[1225,1226,1230,1234,1238,1242,1246],{"title":1221,"path":1222,"stem":1223},{"title":1227,"path":1228,"stem":1229},"DRD04-J. Do not log sensitive information","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffile-io-and-logging-fio\u002Fdrd04-j","3.android-secure-coding-standard\u002F3.rules\u002F11.file-io-and-logging-fio\u002F2.drd04-j",{"title":1231,"path":1232,"stem":1233},"DRD00. Do not store sensitive information on external storage (SD card) unless encrypted first","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffile-io-and-logging-fio\u002Fdrd00-do-not-store-sensitive-information-on-external-storage-sd-card-unless-encrypted-first","3.android-secure-coding-standard\u002F3.rules\u002F11.file-io-and-logging-fio\u002F3.drd00-do-not-store-sensitive-information-on-external-storage-sd-card-unless-encrypted-first",{"title":1235,"path":1236,"stem":1237},"DRD11. Ensure that sensitive data is kept secure","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffile-io-and-logging-fio\u002Fdrd11-ensure-that-sensitive-data-is-kept-secure","3.android-secure-coding-standard\u002F3.rules\u002F11.file-io-and-logging-fio\u002F4.drd11-ensure-that-sensitive-data-is-kept-secure",{"title":1239,"path":1240,"stem":1241},"DRD12. Do not trust data from world-writable files","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffile-io-and-logging-fio\u002Fdrd12-do-not-trust-data-from-world-writable-files","3.android-secure-coding-standard\u002F3.rules\u002F11.file-io-and-logging-fio\u002F5.drd12-do-not-trust-data-from-world-writable-files",{"title":1243,"path":1244,"stem":1245},"DRD23. Do not use world readable or writeable to share files between apps","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffile-io-and-logging-fio\u002Fdrd23-do-not-use-world-readable-or-writeable-to-share-files-between-apps","3.android-secure-coding-standard\u002F3.rules\u002F11.file-io-and-logging-fio\u002F6.drd23-do-not-use-world-readable-or-writeable-to-share-files-between-apps",{"title":1247,"path":1248,"stem":1249},"DRD28 Do not load world-writable libraries","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffile-io-and-logging-fio\u002Fdrd28-do-not-load-world-writable-libraries","3.android-secure-coding-standard\u002F3.rules\u002F11.file-io-and-logging-fio\u002F7.drd28-do-not-load-world-writable-libraries",{"title":1251,"path":1252,"stem":1253},"Floating Point (FLP)","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffloating-point-flp","3.android-secure-coding-standard\u002F3.rules\u002F12.floating-point-flp",{"title":1255,"path":1256,"stem":1257},"Input Validation and Data Sanitization (IDS)","\u002Fandroid-secure-coding-standard\u002Frules\u002Finput-validation-and-data-sanitization-ids","3.android-secure-coding-standard\u002F3.rules\u002F13.input-validation-and-data-sanitization-ids",{"title":1259,"path":1260,"stem":1261},"Integers (INT)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fintegers-int","3.android-secure-coding-standard\u002F3.rules\u002F14.integers-int",{"title":1263,"path":1264,"stem":1265,"children":1266},"Intent (ITT)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fintent-itt","3.android-secure-coding-standard\u002F3.rules\u002F15.intent-itt\u002F1.index",[1267,1268,1272,1276],{"title":1263,"path":1264,"stem":1265},{"title":1269,"path":1270,"stem":1271},"DRD03-J. Do not broadcast sensitive information using an implicit intent","\u002Fandroid-secure-coding-standard\u002Frules\u002Fintent-itt\u002Fdrd03-j","3.android-secure-coding-standard\u002F3.rules\u002F15.intent-itt\u002F2.drd03-j",{"title":1273,"path":1274,"stem":1275},"DRD21-J. Always pass explicit intents to a PendingIntent","\u002Fandroid-secure-coding-standard\u002Frules\u002Fintent-itt\u002Fdrd21-j","3.android-secure-coding-standard\u002F3.rules\u002F15.intent-itt\u002F3.drd21-j",{"title":1277,"path":1278,"stem":1279},"DRD06. Verify the caller of intents before acting on them","\u002Fandroid-secure-coding-standard\u002Frules\u002Fintent-itt\u002Fdrd06-verify-the-caller-of-intents-before-acting-on-them","3.android-secure-coding-standard\u002F3.rules\u002F15.intent-itt\u002F4.drd06-verify-the-caller-of-intents-before-acting-on-them",{"title":1281,"path":1282,"stem":1283},"Java Native Interface (JNI)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fjava-native-interface-jni","3.android-secure-coding-standard\u002F3.rules\u002F16.java-native-interface-jni",{"title":1285,"path":1286,"stem":1287},"Locking (LCK)","\u002Fandroid-secure-coding-standard\u002Frules\u002Flocking-lck","3.android-secure-coding-standard\u002F3.rules\u002F17.locking-lck",{"title":1289,"path":1290,"stem":1291},"Memory Management (MEM)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmemory-management-mem","3.android-secure-coding-standard\u002F3.rules\u002F18.memory-management-mem",{"title":1293,"path":1294,"stem":1295},"Methods (MET)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmethods-met","3.android-secure-coding-standard\u002F3.rules\u002F19.methods-met",{"title":1297,"path":1298,"stem":1299,"children":1300},"Miscellaneous (MSC)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmiscellaneous-msc","3.android-secure-coding-standard\u002F3.rules\u002F20.miscellaneous-msc\u002F1.index",[1301,1302,1306,1310,1314,1318],{"title":1297,"path":1298,"stem":1299},{"title":1303,"path":1304,"stem":1305},"DRD10-X. Do not release apps that are debuggable","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmiscellaneous-msc\u002Fdrd10-x","3.android-secure-coding-standard\u002F3.rules\u002F20.miscellaneous-msc\u002F2.drd10-x",{"title":1307,"path":1308,"stem":1309},"DRD15-J. Consider privacy concerns when using Geolocation API","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmiscellaneous-msc\u002Fdrd15-j","3.android-secure-coding-standard\u002F3.rules\u002F20.miscellaneous-msc\u002F3.drd15-j",{"title":1311,"path":1312,"stem":1313},"DRD26-J. For OAuth, use a secure Android method to deliver access tokens","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmiscellaneous-msc\u002Fdrd26-j","3.android-secure-coding-standard\u002F3.rules\u002F20.miscellaneous-msc\u002F4.drd26-j",{"title":1315,"path":1316,"stem":1317},"DRD27-J. For OAuth, use an explicit intent method to deliver access tokens","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmiscellaneous-msc\u002Fdrd27-j","3.android-secure-coding-standard\u002F3.rules\u002F20.miscellaneous-msc\u002F5.drd27-j",{"title":1319,"path":1320,"stem":1321},"DRD25. To request user permission for OAuth, identify relying party and its permissions scope","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmiscellaneous-msc\u002Fdrd25-to-request-user-permission-for-oauth-identify-relying-party-and-its-permissions-scope","3.android-secure-coding-standard\u002F3.rules\u002F20.miscellaneous-msc\u002F6.drd25-to-request-user-permission-for-oauth-identify-relying-party-and-its-permissions-scope",{"title":1323,"path":1324,"stem":1325,"children":1326},"Network - SSL\u002FTLS (NET)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fnetwork-ssltls-net","3.android-secure-coding-standard\u002F3.rules\u002F21.network-ssltls-net\u002F1.index",[1327,1328,1332],{"title":1323,"path":1324,"stem":1325},{"title":1329,"path":1330,"stem":1331},"DRD23-J. Do not use loopback when handling sensitive data","\u002Fandroid-secure-coding-standard\u002Frules\u002Fnetwork-ssltls-net\u002Fdrd23-j","3.android-secure-coding-standard\u002F3.rules\u002F21.network-ssltls-net\u002F2.drd23-j",{"title":1333,"path":1334,"stem":1335},"DRD19. Properly verify server certificate on SSL\u002FTLS","\u002Fandroid-secure-coding-standard\u002Frules\u002Fnetwork-ssltls-net\u002Fdrd19-properly-verify-server-certificate-on-ssltls","3.android-secure-coding-standard\u002F3.rules\u002F21.network-ssltls-net\u002F3.drd19-properly-verify-server-certificate-on-ssltls",{"title":1337,"path":1338,"stem":1339},"Numeric Types and Operations (NUM)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fnumeric-types-and-operations-num","3.android-secure-coding-standard\u002F3.rules\u002F22.numeric-types-and-operations-num",{"title":1341,"path":1342,"stem":1343},"Object Orientation (OBJ)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fobject-orientation-obj","3.android-secure-coding-standard\u002F3.rules\u002F23.object-orientation-obj",{"title":1345,"path":1346,"stem":1347,"children":1348},"Permission (PER)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fpermission-per","3.android-secure-coding-standard\u002F3.rules\u002F24.permission-per\u002F1.index",[1349,1350,1354,1358,1362],{"title":1345,"path":1346,"stem":1347},{"title":1351,"path":1352,"stem":1353},"DRD05-J. Do not grant URI permissions on implicit intents","\u002Fandroid-secure-coding-standard\u002Frules\u002Fpermission-per\u002Fdrd05-j","3.android-secure-coding-standard\u002F3.rules\u002F24.permission-per\u002F2.drd05-j",{"title":1355,"path":1356,"stem":1357},"DRD14-J. Check that a calling app has appropriate permissions before responding","\u002Fandroid-secure-coding-standard\u002Frules\u002Fpermission-per\u002Fdrd14-j","3.android-secure-coding-standard\u002F3.rules\u002F24.permission-per\u002F3.drd14-j",{"title":1359,"path":1360,"stem":1361},"DRD16-X. Explicitly define the exported attribute for private components","\u002Fandroid-secure-coding-standard\u002Frules\u002Fpermission-per\u002Fdrd16-x","3.android-secure-coding-standard\u002F3.rules\u002F24.permission-per\u002F4.drd16-x",{"title":1363,"path":1364,"stem":1365},"DRD20-C. Specify permissions when creating files via the NDK","\u002Fandroid-secure-coding-standard\u002Frules\u002Fpermission-per\u002Fdrd20-c","3.android-secure-coding-standard\u002F3.rules\u002F24.permission-per\u002F5.drd20-c",{"title":1367,"path":1368,"stem":1369},"Platform Security (SEC)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fplatform-security-sec","3.android-secure-coding-standard\u002F3.rules\u002F25.platform-security-sec",{"title":1371,"path":1372,"stem":1373},"Preprocessor (PRE)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fpreprocessor-pre","3.android-secure-coding-standard\u002F3.rules\u002F26.preprocessor-pre",{"title":1375,"path":1376,"stem":1377},"Serialization (SER)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fserialization-ser","3.android-secure-coding-standard\u002F3.rules\u002F27.serialization-ser",{"title":1379,"path":1380,"stem":1381},"Thread APIs (THI)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fthread-apis-thi","3.android-secure-coding-standard\u002F3.rules\u002F28.thread-apis-thi",{"title":1383,"path":1384,"stem":1385},"Thread-Safety Miscellaneous (TSM)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fthread-safety-miscellaneous-tsm","3.android-secure-coding-standard\u002F3.rules\u002F29.thread-safety-miscellaneous-tsm",{"title":1387,"path":1388,"stem":1389},"Visibility and Atomicity (VNA)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fvisibility-and-atomicity-vna","3.android-secure-coding-standard\u002F3.rules\u002F30.visibility-and-atomicity-vna",{"title":1391,"path":1392,"stem":1393,"children":1394},"WebView (WBV)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fwebview-wbv","3.android-secure-coding-standard\u002F3.rules\u002F31.webview-wbv\u002F1.index",[1395,1396,1400,1404],{"title":1391,"path":1392,"stem":1393},{"title":1397,"path":1398,"stem":1399},"DRD02-J. Do not allow WebView to access sensitive local resource through file scheme","\u002Fandroid-secure-coding-standard\u002Frules\u002Fwebview-wbv\u002Fdrd02-j","3.android-secure-coding-standard\u002F3.rules\u002F31.webview-wbv\u002F2.drd02-j",{"title":1401,"path":1402,"stem":1403},"DRD13. Do not provide addJavascriptInterface method access in a WebView which could contain untrusted content. (API level JELLY_BEAN or below)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fwebview-wbv\u002Fdrd13-do-not-provide-addjavascriptinterface-method-access-in-a-webview-which-could-contain-untrusted-content-api-level-jelly_bean-or-below","3.android-secure-coding-standard\u002F3.rules\u002F31.webview-wbv\u002F3.drd13-do-not-provide-addjavascriptinterface-method-access-in-a-webview-which-could-contain-untrusted-content-api-level-jelly_bean-or-below",{"title":1405,"path":1406,"stem":1407},"DRD22. Do not cache sensitive information","\u002Fandroid-secure-coding-standard\u002Frules\u002Fwebview-wbv\u002Fdrd22-do-not-cache-sensitive-information","3.android-secure-coding-standard\u002F3.rules\u002F31.webview-wbv\u002F4.drd22-do-not-cache-sensitive-information",{"title":1409,"path":1410,"stem":1411,"children":1412},"Recommendations","\u002Fandroid-secure-coding-standard\u002Frecommendations","3.android-secure-coding-standard\u002F4.recommendations\u002F01.index",[1413,1414,1417,1421,1424,1427,1430,1433,1436,1439,1442,1445,1448,1451,1454,1457,1460,1463,1466,1469,1472,1475,1478,1481,1484,1487,1490,1493,1496,1499,1502],{"title":1409,"path":1410,"stem":1411},{"title":1158,"path":1415,"stem":1416},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fapplication-programming-interfaces-api","3.android-secure-coding-standard\u002F4.recommendations\u002F02.application-programming-interfaces-api",{"title":1418,"path":1419,"stem":1420},"Characters and Strings (STR)","\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fcharacters-and-strings-str","3.android-secure-coding-standard\u002F4.recommendations\u002F03.characters-and-strings-str",{"title":1087,"path":1422,"stem":1423},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fcomponent-security-cps","3.android-secure-coding-standard\u002F4.recommendations\u002F04.component-security-cps",{"title":1179,"path":1425,"stem":1426},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fconcurrency-con","3.android-secure-coding-standard\u002F4.recommendations\u002F05.concurrency-con",{"title":1183,"path":1428,"stem":1429},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fcryptography-crp","3.android-secure-coding-standard\u002F4.recommendations\u002F06.cryptography-crp",{"title":1205,"path":1431,"stem":1432},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fdeclarations-and-initialization-dcl","3.android-secure-coding-standard\u002F4.recommendations\u002F07.declarations-and-initialization-dcl",{"title":1209,"path":1434,"stem":1435},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fenvironment-env","3.android-secure-coding-standard\u002F4.recommendations\u002F08.environment-env",{"title":1213,"path":1437,"stem":1438},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Ferror-handling-err","3.android-secure-coding-standard\u002F4.recommendations\u002F09.error-handling-err",{"title":1217,"path":1440,"stem":1441},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fexpressions-exp","3.android-secure-coding-standard\u002F4.recommendations\u002F10.expressions-exp",{"title":1221,"path":1443,"stem":1444},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Ffile-io-and-logging-fio","3.android-secure-coding-standard\u002F4.recommendations\u002F11.file-io-and-logging-fio",{"title":1251,"path":1446,"stem":1447},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Ffloating-point-flp","3.android-secure-coding-standard\u002F4.recommendations\u002F12.floating-point-flp",{"title":1255,"path":1449,"stem":1450},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Finput-validation-and-data-sanitization-ids","3.android-secure-coding-standard\u002F4.recommendations\u002F13.input-validation-and-data-sanitization-ids",{"title":1259,"path":1452,"stem":1453},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fintegers-int","3.android-secure-coding-standard\u002F4.recommendations\u002F14.integers-int",{"title":1263,"path":1455,"stem":1456},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fintent-itt","3.android-secure-coding-standard\u002F4.recommendations\u002F15.intent-itt",{"title":1281,"path":1458,"stem":1459},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fjava-native-interface-jni","3.android-secure-coding-standard\u002F4.recommendations\u002F16.java-native-interface-jni",{"title":1285,"path":1461,"stem":1462},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Flocking-lck","3.android-secure-coding-standard\u002F4.recommendations\u002F17.locking-lck",{"title":1289,"path":1464,"stem":1465},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fmemory-management-mem","3.android-secure-coding-standard\u002F4.recommendations\u002F18.memory-management-mem",{"title":1293,"path":1467,"stem":1468},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fmethods-met","3.android-secure-coding-standard\u002F4.recommendations\u002F19.methods-met",{"title":1297,"path":1470,"stem":1471},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fmiscellaneous-msc","3.android-secure-coding-standard\u002F4.recommendations\u002F20.miscellaneous-msc",{"title":1323,"path":1473,"stem":1474},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fnetwork-ssltls-net","3.android-secure-coding-standard\u002F4.recommendations\u002F21.network-ssltls-net",{"title":1337,"path":1476,"stem":1477},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fnumeric-types-and-operations-num","3.android-secure-coding-standard\u002F4.recommendations\u002F22.numeric-types-and-operations-num",{"title":1341,"path":1479,"stem":1480},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fobject-orientation-obj","3.android-secure-coding-standard\u002F4.recommendations\u002F23.object-orientation-obj",{"title":1345,"path":1482,"stem":1483},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fpermission-per","3.android-secure-coding-standard\u002F4.recommendations\u002F24.permission-per",{"title":1367,"path":1485,"stem":1486},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fplatform-security-sec","3.android-secure-coding-standard\u002F4.recommendations\u002F25.platform-security-sec",{"title":1371,"path":1488,"stem":1489},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fpreprocessor-pre","3.android-secure-coding-standard\u002F4.recommendations\u002F26.preprocessor-pre",{"title":1375,"path":1491,"stem":1492},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fserialization-ser","3.android-secure-coding-standard\u002F4.recommendations\u002F27.serialization-ser",{"title":1379,"path":1494,"stem":1495},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fthread-apis-thi","3.android-secure-coding-standard\u002F4.recommendations\u002F28.thread-apis-thi",{"title":1383,"path":1497,"stem":1498},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fthread-safety-miscellaneous-tsm","3.android-secure-coding-standard\u002F4.recommendations\u002F29.thread-safety-miscellaneous-tsm",{"title":1387,"path":1500,"stem":1501},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fvisibility-and-atomicity-vna","3.android-secure-coding-standard\u002F4.recommendations\u002F30.visibility-and-atomicity-vna",{"title":1391,"path":1503,"stem":1504},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fwebview-wbv","3.android-secure-coding-standard\u002F4.recommendations\u002F31.webview-wbv",{"title":1506,"path":1507,"stem":1508,"children":1509},"By Language","\u002Fandroid-secure-coding-standard\u002Fby-language","3.android-secure-coding-standard\u002F5.by-language\u002F1.index",[1510,1511,1515,1537,1541,1563],{"title":1506,"path":1507,"stem":1508},{"title":1512,"path":1513,"stem":1514},"Android Only","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fandroid-only","3.android-secure-coding-standard\u002F5.by-language\u002F2.android-only",{"title":1516,"path":1517,"stem":1518,"children":1519},"C Coding Language","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fc-coding-language","3.android-secure-coding-standard\u002F5.by-language\u002F3.c-coding-language\u002F1.index",[1520,1521,1525,1529,1533],{"title":1516,"path":1517,"stem":1518},{"title":1522,"path":1523,"stem":1524},"Applicable in Principle to Android (C Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fc-coding-language\u002Fapplicable-in-principle-to-android-c-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F3.c-coding-language\u002F2.applicable-in-principle-to-android-c-rulesrecomendations",{"title":1526,"path":1527,"stem":1528},"Applicable to Android (C Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fc-coding-language\u002Fapplicable-to-android-c-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F3.c-coding-language\u002F3.applicable-to-android-c-rulesrecomendations",{"title":1530,"path":1531,"stem":1532},"Not Applicable to Android (C Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fc-coding-language\u002Fnot-applicable-to-android-c-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F3.c-coding-language\u002F4.not-applicable-to-android-c-rulesrecomendations",{"title":1534,"path":1535,"stem":1536},"Unknown Applicability (C Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fc-coding-language\u002Funknown-applicability-c-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F3.c-coding-language\u002F5.unknown-applicability-c-rulesrecomendations",{"title":1538,"path":1539,"stem":1540},"C++ Coding Language","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fcpp-coding-language","3.android-secure-coding-standard\u002F5.by-language\u002F4.cpp-coding-language",{"title":1542,"path":1543,"stem":1544,"children":1545},"Java Coding Language","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fjava-coding-language","3.android-secure-coding-standard\u002F5.by-language\u002F5.java-coding-language\u002F1.index",[1546,1547,1551,1555,1559],{"title":1542,"path":1543,"stem":1544},{"title":1548,"path":1549,"stem":1550},"Applicable in Principle to Android (Java Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fjava-coding-language\u002Fapplicable-in-principle-to-android-java-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F5.java-coding-language\u002F2.applicable-in-principle-to-android-java-rulesrecomendations",{"title":1552,"path":1553,"stem":1554},"Applicable to Android (Java Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fjava-coding-language\u002Fapplicable-to-android-java-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F5.java-coding-language\u002F3.applicable-to-android-java-rulesrecomendations",{"title":1556,"path":1557,"stem":1558},"Not Applicable to Android (Java Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fjava-coding-language\u002Fnot-applicable-to-android-java-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F5.java-coding-language\u002F4.not-applicable-to-android-java-rulesrecomendations",{"title":1560,"path":1561,"stem":1562},"Unknown Applicability to Android (Java Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fjava-coding-language\u002Funknown-applicability-to-android-java-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F5.java-coding-language\u002F5.unknown-applicability-to-android-java-rulesrecomendations",{"title":1564,"path":1565,"stem":1566},"XML","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fxml","3.android-secure-coding-standard\u002F5.by-language\u002F6.xml",{"title":1568,"path":1569,"stem":1570,"children":1571},"Back Matter","\u002Fandroid-secure-coding-standard\u002Fback-matter","3.android-secure-coding-standard\u002F6.back-matter\u002F1.index",[1572,1573,1577],{"title":1568,"path":1569,"stem":1570},{"title":1574,"path":1575,"stem":1576},"AA. Bibliography","\u002Fandroid-secure-coding-standard\u002Fback-matter\u002Faa-bibliography","3.android-secure-coding-standard\u002F6.back-matter\u002F2.aa-bibliography",{"title":1578,"path":1579,"stem":1580,"children":1581},"BB. Analyzers","\u002Fandroid-secure-coding-standard\u002Fback-matter\u002Fbb-analyzers","3.android-secure-coding-standard\u002F6.back-matter\u002F3.bb-analyzers\u002F1.index",[1582,1583,1587],{"title":1578,"path":1579,"stem":1580},{"title":1584,"path":1585,"stem":1586},"CodeSonar","\u002Fandroid-secure-coding-standard\u002Fback-matter\u002Fbb-analyzers\u002Fcodesonar","3.android-secure-coding-standard\u002F6.back-matter\u002F3.bb-analyzers\u002F2.codesonar",{"title":1588,"path":1589,"stem":1590},"CodeSonar_V","\u002Fandroid-secure-coding-standard\u002Fback-matter\u002Fbb-analyzers\u002Fcodesonar_v","3.android-secure-coding-standard\u002F6.back-matter\u002F3.bb-analyzers\u002F3.codesonar_v",{"title":1592,"path":1593,"stem":1594,"children":1595},"Admin","\u002Fandroid-secure-coding-standard\u002Fadmin","3.android-secure-coding-standard\u002F7.admin\u002F01.index",[1596,1597,1601,1605,1609,1613,1617,1621,1625,1629,1633,1637,1641,1645,1649,1653],{"title":1592,"path":1593,"stem":1594},{"title":1598,"path":1599,"stem":1600},"About the OurCS Workshop","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fabout-the-ourcs-workshop","3.android-secure-coding-standard\u002F7.admin\u002F02.about-the-ourcs-workshop",{"title":1602,"path":1603,"stem":1604},"Android Applicability Summary","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fandroid-applicability-summary","3.android-secure-coding-standard\u002F7.admin\u002F03.android-applicability-summary",{"title":1606,"path":1607,"stem":1608},"Android (DRD)","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fandroid-drd","3.android-secure-coding-standard\u002F7.admin\u002F04.android-drd",{"title":1610,"path":1611,"stem":1612},"Avoid having unreachable code","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Favoid-having-unreachable-code","3.android-secure-coding-standard\u002F7.admin\u002F05.avoid-having-unreachable-code",{"title":1614,"path":1615,"stem":1616},"C Space Change History Log","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fc-space-change-history-log","3.android-secure-coding-standard\u002F7.admin\u002F06.c-space-change-history-log",{"title":1618,"path":1619,"stem":1620},"Copy of Rule Template","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fcopy-of-rule-template","3.android-secure-coding-standard\u002F7.admin\u002F07.copy-of-rule-template",{"title":1622,"path":1623,"stem":1624},"C++ Space Change History Log","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fcpp-space-change-history-log","3.android-secure-coding-standard\u002F7.admin\u002F08.cpp-space-change-history-log",{"title":1626,"path":1627,"stem":1628},"Dictionary of Labels","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fdictionary-of-labels","3.android-secure-coding-standard\u002F7.admin\u002F09.dictionary-of-labels",{"title":1630,"path":1631,"stem":1632},"How to Change Applicability When a Rules and Recommendations Change","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fhow-to-change-applicability-when-a-rules-and-recommendations-change","3.android-secure-coding-standard\u002F7.admin\u002F10.how-to-change-applicability-when-a-rules-and-recommendations-change",{"title":1634,"path":1635,"stem":1636},"Java Space Change History Log","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fjava-space-change-history-log","3.android-secure-coding-standard\u002F7.admin\u002F11.java-space-change-history-log",{"title":1638,"path":1639,"stem":1640},"Labels in this Space","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Flabels-in-this-space","3.android-secure-coding-standard\u002F7.admin\u002F12.labels-in-this-space",{"title":1642,"path":1643,"stem":1644},"Perl Space Change History Log","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fperl-space-change-history-log","3.android-secure-coding-standard\u002F7.admin\u002F13.perl-space-change-history-log",{"title":1646,"path":1647,"stem":1648},"Resources for new Android app secure coding rules and guidelines","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fresources-for-new-android-app-secure-coding-rules-and-guidelines","3.android-secure-coding-standard\u002F7.admin\u002F14.resources-for-new-android-app-secure-coding-rules-and-guidelines",{"title":1650,"path":1651,"stem":1652},"Rule Template","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Frule-template","3.android-secure-coding-standard\u002F7.admin\u002F15.rule-template",{"title":1654,"path":1655,"stem":1656},"Rules Applicable for Both the Android Platform and Other Platforms","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Frules-applicable-for-both-the-android-platform-and-other-platforms","3.android-secure-coding-standard\u002F7.admin\u002F16.rules-applicable-for-both-the-android-platform-and-other-platforms",1775657823529]