[{"data":1,"prerenderedAt":2079},["ShallowReactive",2],{"global-navigation":3,"page-\u002Fandroid-secure-coding-standard\u002Frules\u002Fcomponent-security-cps\u002Fdrd08-j":28,"surround-\u002Fandroid-secure-coding-standard\u002Frules\u002Fcomponent-security-cps\u002Fdrd08-j":1507,"sidebar-android-secure-coding-standard":1516},[4,8],{"title":5,"path":6,"_path":6,"fromAppConfig":7},"Home","\u002F",true,{"title":9,"path":10,"children":11,"_path":27,"fromAppConfig":7},"Coding Standards","\u002Fcoding-standards\u002F",[12,15,18,21,24],{"title":13,"path":14},"Android Coding Standard","\u002Fandroid-secure-coding-standard\u002F",{"title":16,"path":17},"C Coding Standard","\u002Fsei-cert-c-coding-standard\u002F",{"title":19,"path":20},"C++ Coding Standard","\u002Fsei-cert-cpp-coding-standard\u002F",{"title":22,"path":23},"Java Coding Standard","\u002Fsei-cert-oracle-coding-standard-for-java\u002F",{"title":25,"path":26},"Perl Coding Standard","\u002Fsei-cert-perl-coding-standard\u002F","\u002Fcoding-standards",{"id":29,"title":30,"body":31,"description":1495,"extension":1496,"meta":1497,"navigation":7,"path":1503,"seo":1504,"stem":1505,"__hash__":1506},"content\u002F3.android-secure-coding-standard\u002F3.rules\u002F04.component-security-cps\u002F4.drd08-j.md","DRD08-J. Always canonicalize a URL received by a content provider",{"type":32,"value":33,"toc":1481},"minimark",[34,38,51,67,72,86,212,215,232,362,368,686,700,707,716,720,726,820,823,828,834,839,849,854,860,865,878,881,886,891,896,899,903,906,909,913,916,1033,1037,1040,1132,1136,1149,1152,1304,1308,1311,1319,1323,1326,1388,1392,1395,1398,1401,1404,1407,1411,1423,1427,1452,1455,1477],[35,36,30],"h1",{"id":37},"drd08-j-always-canonicalize-a-url-received-by-a-content-provider",[39,40,41,42,46,47,50],"p",{},"By using the ",[43,44,45],"code",{},"ContentProvider.openFile()"," method, you can provide a facility for another application to access your application data (file). Depending on the implementation of ",[43,48,49],{},"ContentProvider"," , use of the method can lead to a directory traversal vulnerability. Therefore, when exchanging a file through a content provider, the path should be canonicalized before it is used.",[39,52,53,54,59,60,66],{},"This rule is an Android specific instance of ",[55,56,58],"a",{"href":57},"\u002Fsei-cert-oracle-coding-standard-for-java\u002Frules\u002Finput-validation-and-data-sanitization-ids\u002Fids01-j","IDS01-J. Normalize strings before validating them"," ) and ",[55,61,65],{"href":62,"rel":63},"https:\u002F\u002Fwww.securecoding.cert.org\u002Fconfluence\u002Fdisplay\u002Fjava\u002FIDS02-J.+Canonicalize+path+names+before+validating+them",[64],"nofollow","IDS02-J. Canonicalize path names before validating them"," .",[68,69,71],"h2",{"id":70},"noncompliant-code-example-1","Noncompliant Code Example 1",[39,73,74,75,78,79,82,83,66],{},"This noncompliant code example tries to retrieve the last segment from the path ",[43,76,77],{},"paramUri"," , which is supposed to denote a file name, by calling ",[43,80,81],{},"android.net.Uri.getLastPathSegment()"," . The file is accessed in the pre-configured parent directory ",[43,84,85],{},"IMAGE_DIRECTORY",[87,88,90],"code-block",{"quality":89},"bad",[91,92,97],"pre",{"className":93,"code":94,"language":95,"meta":96,"style":96},"language-java shiki shiki-themes github-light github-dark monokai","private static String IMAGE_DIRECTORY = localFile.getAbsolutePath();\npublic ParcelFileDescriptor openFile(Uri paramUri, String paramString)\n    throws FileNotFoundException {\n  File file = new File(IMAGE_DIRECTORY, paramUri.getLastPathSegment());\n  return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY);\n}\n","java","",[43,98,99,132,159,165,191,206],{"__ignoreMap":96},[100,101,104,108,111,115,119,122,125,129],"span",{"class":102,"line":103},"line",1,[100,105,107],{"class":106},"sC2Qs","private",[100,109,110],{"class":106}," static",[100,112,114],{"class":113},"sk8M1"," String",[100,116,118],{"class":117},"sMOD_"," IMAGE_DIRECTORY ",[100,120,121],{"class":106},"=",[100,123,124],{"class":117}," localFile.",[100,126,128],{"class":127},"srTi1","getAbsolutePath",[100,130,131],{"class":117},"();\n",[100,133,135,138,141,144,147,150,153,156],{"class":102,"line":134},2,[100,136,137],{"class":106},"public",[100,139,140],{"class":113}," ParcelFileDescriptor",[100,142,143],{"class":127}," openFile",[100,145,146],{"class":117},"(",[100,148,149],{"class":113},"Uri",[100,151,152],{"class":117}," paramUri, ",[100,154,155],{"class":113},"String",[100,157,158],{"class":117}," paramString)\n",[100,160,162],{"class":102,"line":161},3,[100,163,164],{"class":117},"    throws FileNotFoundException {\n",[100,166,168,171,174,176,179,182,185,188],{"class":102,"line":167},4,[100,169,170],{"class":113},"  File",[100,172,173],{"class":117}," file ",[100,175,121],{"class":106},[100,177,178],{"class":106}," new",[100,180,181],{"class":127}," File",[100,183,184],{"class":117},"(IMAGE_DIRECTORY, paramUri.",[100,186,187],{"class":127},"getLastPathSegment",[100,189,190],{"class":117},"());\n",[100,192,194,197,200,203],{"class":102,"line":193},5,[100,195,196],{"class":106},"  return",[100,198,199],{"class":117}," ParcelFileDescriptor.",[100,201,202],{"class":127},"open",[100,204,205],{"class":117},"(file, ParcelFileDescriptor.MODE_READ_ONLY);\n",[100,207,209],{"class":102,"line":208},6,[100,210,211],{"class":117},"}\n",[39,213,214],{},"However, when the path is URL encoded, it may denote a file in an unintended directory which is outside of the pre-configured parent directory.",[39,216,217,218,221,222,225,226,231],{},"From Android 4.3.0_r2.2, the method ",[43,219,220],{},"Uri.getLastPathSegment()"," calls ",[43,223,224],{},"Uri.getPathSegments()"," internally (see: ",[55,227,230],{"href":228,"rel":229},"http:\u002F\u002Ftools.oesf.biz\u002Fandroid-4.3.0_r2.2\u002Fxref\u002Fframeworks\u002Fbase\u002Fcore\u002Fjava\u002Fandroid\u002Fnet\u002FUri.java",[64],"Cross Reference: Uri.java"," ):",[91,233,235],{"className":93,"code":234,"language":95,"meta":96,"style":96},"public String getLastPathSegment() {\n  \u002F\u002F TODO: If we haven't parsed all of the segments already, just\n  \u002F\u002F grab the last one directly so we only allocate one string.\n  List\u003CString> segments = getPathSegments();\n  int size = segments.size();\n  if (size == 0) {\n    return null;\n  }\n  return segments.get(size - 1);\n}\n",[43,236,237,249,255,260,281,299,317,329,335,357],{"__ignoreMap":96},[100,238,239,241,243,246],{"class":102,"line":103},[100,240,137],{"class":106},[100,242,114],{"class":113},[100,244,245],{"class":127}," getLastPathSegment",[100,247,248],{"class":117},"() {\n",[100,250,251],{"class":102,"line":134},[100,252,254],{"class":253},"s8-w5","  \u002F\u002F TODO: If we haven't parsed all of the segments already, just\n",[100,256,257],{"class":102,"line":161},[100,258,259],{"class":253},"  \u002F\u002F grab the last one directly so we only allocate one string.\n",[100,261,262,265,268,271,274,276,279],{"class":102,"line":167},[100,263,264],{"class":113},"  List",[100,266,267],{"class":117},"\u003C",[100,269,155],{"class":270},"sq6CD",[100,272,273],{"class":117},"> segments ",[100,275,121],{"class":106},[100,277,278],{"class":127}," getPathSegments",[100,280,131],{"class":117},[100,282,283,286,289,291,294,297],{"class":102,"line":193},[100,284,285],{"class":270},"  int",[100,287,288],{"class":117}," size ",[100,290,121],{"class":106},[100,292,293],{"class":117}," segments.",[100,295,296],{"class":127},"size",[100,298,131],{"class":117},[100,300,301,304,307,310,314],{"class":102,"line":208},[100,302,303],{"class":106},"  if",[100,305,306],{"class":117}," (size ",[100,308,309],{"class":106},"==",[100,311,313],{"class":312},"s7F3e"," 0",[100,315,316],{"class":117},") {\n",[100,318,320,323,326],{"class":102,"line":319},7,[100,321,322],{"class":106},"    return",[100,324,325],{"class":312}," null",[100,327,328],{"class":117},";\n",[100,330,332],{"class":102,"line":331},8,[100,333,334],{"class":117},"  }\n",[100,336,338,340,342,345,348,351,354],{"class":102,"line":337},9,[100,339,196],{"class":106},[100,341,293],{"class":117},[100,343,344],{"class":127},"get",[100,346,347],{"class":117},"(size ",[100,349,350],{"class":106},"-",[100,352,353],{"class":312}," 1",[100,355,356],{"class":117},");\n",[100,358,360],{"class":102,"line":359},10,[100,361,211],{"class":117},[39,363,364,365,367],{},"A part of the method ",[43,366,224],{}," is as follows:",[91,369,371],{"className":93,"code":370,"language":95,"meta":96,"style":96},"PathSegments getPathSegments() {\n  if (pathSegments != null) {\n    return pathSegments;\n  }\n  String path = getEncoded();\n  if (path == null) {\n    return pathSegments = PathSegments.EMPTY;\n  }\n  PathSegmentsBuilder segmentBuilder = new PathSegmentsBuilder();\n  int previous = 0;\n  int current;\n  while ((current = path.indexOf('\u002F', previous)) > -1) {\n    \u002F\u002F This check keeps us from adding a segment if the path starts\n    \u002F\u002F '\u002F' and an empty segment for \"\u002F\u002F\".\n    if (previous \u003C current) {\n      String decodedSegment = decode(path.substring(previous, current));\n      segmentBuilder.add(decodedSegment);\n    }\n    previous = current + 1;\n  }\n  \u002F\u002F Add in the final path segment.\n  if (previous \u003C path.length()) {\n    segmentBuilder.add(decode(path.substring(previous)));\n  }\n  return pathSegments = segmentBuilder.build();\n}\n",[43,372,373,382,396,403,407,422,435,447,451,468,481,489,526,532,538,552,575,587,593,611,616,622,639,659,664,681],{"__ignoreMap":96},[100,374,375,378,380],{"class":102,"line":103},[100,376,377],{"class":113},"PathSegments",[100,379,278],{"class":127},[100,381,248],{"class":117},[100,383,384,386,389,392,394],{"class":102,"line":134},[100,385,303],{"class":106},[100,387,388],{"class":117}," (pathSegments ",[100,390,391],{"class":106},"!=",[100,393,325],{"class":312},[100,395,316],{"class":117},[100,397,398,400],{"class":102,"line":161},[100,399,322],{"class":106},[100,401,402],{"class":117}," pathSegments;\n",[100,404,405],{"class":102,"line":167},[100,406,334],{"class":117},[100,408,409,412,415,417,420],{"class":102,"line":193},[100,410,411],{"class":113},"  String",[100,413,414],{"class":117}," path ",[100,416,121],{"class":106},[100,418,419],{"class":127}," getEncoded",[100,421,131],{"class":117},[100,423,424,426,429,431,433],{"class":102,"line":208},[100,425,303],{"class":106},[100,427,428],{"class":117}," (path ",[100,430,309],{"class":106},[100,432,325],{"class":312},[100,434,316],{"class":117},[100,436,437,439,442,444],{"class":102,"line":319},[100,438,322],{"class":106},[100,440,441],{"class":117}," pathSegments ",[100,443,121],{"class":106},[100,445,446],{"class":117}," PathSegments.EMPTY;\n",[100,448,449],{"class":102,"line":331},[100,450,334],{"class":117},[100,452,453,456,459,461,463,466],{"class":102,"line":337},[100,454,455],{"class":113},"  PathSegmentsBuilder",[100,457,458],{"class":117}," segmentBuilder ",[100,460,121],{"class":106},[100,462,178],{"class":106},[100,464,465],{"class":127}," PathSegmentsBuilder",[100,467,131],{"class":117},[100,469,470,472,475,477,479],{"class":102,"line":359},[100,471,285],{"class":270},[100,473,474],{"class":117}," previous ",[100,476,121],{"class":106},[100,478,313],{"class":312},[100,480,328],{"class":117},[100,482,484,486],{"class":102,"line":483},11,[100,485,285],{"class":270},[100,487,488],{"class":117}," current;\n",[100,490,492,495,498,500,503,506,508,512,515,518,521,524],{"class":102,"line":491},12,[100,493,494],{"class":106},"  while",[100,496,497],{"class":117}," ((current ",[100,499,121],{"class":106},[100,501,502],{"class":117}," path.",[100,504,505],{"class":127},"indexOf",[100,507,146],{"class":117},[100,509,511],{"class":510},"sstjo","'\u002F'",[100,513,514],{"class":117},", previous)) ",[100,516,517],{"class":106},">",[100,519,520],{"class":106}," -",[100,522,523],{"class":312},"1",[100,525,316],{"class":117},[100,527,529],{"class":102,"line":528},13,[100,530,531],{"class":253},"    \u002F\u002F This check keeps us from adding a segment if the path starts\n",[100,533,535],{"class":102,"line":534},14,[100,536,537],{"class":253},"    \u002F\u002F '\u002F' and an empty segment for \"\u002F\u002F\".\n",[100,539,541,544,547,549],{"class":102,"line":540},15,[100,542,543],{"class":106},"    if",[100,545,546],{"class":117}," (previous ",[100,548,267],{"class":106},[100,550,551],{"class":117}," current) {\n",[100,553,555,558,561,563,566,569,572],{"class":102,"line":554},16,[100,556,557],{"class":113},"      String",[100,559,560],{"class":117}," decodedSegment ",[100,562,121],{"class":106},[100,564,565],{"class":127}," decode",[100,567,568],{"class":117},"(path.",[100,570,571],{"class":127},"substring",[100,573,574],{"class":117},"(previous, current));\n",[100,576,578,581,584],{"class":102,"line":577},17,[100,579,580],{"class":117},"      segmentBuilder.",[100,582,583],{"class":127},"add",[100,585,586],{"class":117},"(decodedSegment);\n",[100,588,590],{"class":102,"line":589},18,[100,591,592],{"class":117},"    }\n",[100,594,596,599,601,604,607,609],{"class":102,"line":595},19,[100,597,598],{"class":117},"    previous ",[100,600,121],{"class":106},[100,602,603],{"class":117}," current ",[100,605,606],{"class":106},"+",[100,608,353],{"class":312},[100,610,328],{"class":117},[100,612,614],{"class":102,"line":613},20,[100,615,334],{"class":117},[100,617,619],{"class":102,"line":618},21,[100,620,621],{"class":253},"  \u002F\u002F Add in the final path segment.\n",[100,623,625,627,629,631,633,636],{"class":102,"line":624},22,[100,626,303],{"class":106},[100,628,546],{"class":117},[100,630,267],{"class":106},[100,632,502],{"class":117},[100,634,635],{"class":127},"length",[100,637,638],{"class":117},"()) {\n",[100,640,642,645,647,649,652,654,656],{"class":102,"line":641},23,[100,643,644],{"class":117},"    segmentBuilder.",[100,646,583],{"class":127},[100,648,146],{"class":117},[100,650,651],{"class":127},"decode",[100,653,568],{"class":117},[100,655,571],{"class":127},[100,657,658],{"class":117},"(previous)));\n",[100,660,662],{"class":102,"line":661},24,[100,663,334],{"class":117},[100,665,667,669,671,673,676,679],{"class":102,"line":666},25,[100,668,196],{"class":106},[100,670,441],{"class":117},[100,672,121],{"class":106},[100,674,675],{"class":117}," segmentBuilder.",[100,677,678],{"class":127},"build",[100,680,131],{"class":117},[100,682,684],{"class":102,"line":683},26,[100,685,211],{"class":117},[39,687,688,689,691,692,695,696,699],{},"The method ",[43,690,224],{}," first acquires a path by calling ",[43,693,694],{},"getEncoded()"," , then divides the path into segments using \"\u002F\" as a separator. Any segment that is encoded will be URL decoded by the ",[43,697,698],{},"decode()"," method.",[39,701,702,703,706],{},"If a path is URL encoded, the separator character will be \"%2F\" instead of \"\u002F\" and ",[43,704,705],{},"getLastPathSegment()"," may not properly return the last segment of the path, which will be a surprise to the user of the method. Moreover, the design of this API directly enables a directory traversal vulnerability.",[39,708,709,710,712,713,715],{},"If the ",[43,711,224],{}," method decoded a path before making it into segments, the URL encoded path could be properly processed. Unfortunately, this is not the case and users should not pass a path to ",[43,714,220],{}," before decoding it.",[68,717,719],{"id":718},"noncompliant-code-example-2","Noncompliant Code Example 2",[39,721,722,723,725],{},"This noncompliant code example attempts to fix the first noncompliant code example by calling ",[43,724,220],{}," twice. The first call is intended for URL decoding and the second call is to obtain the string the developer wanted.",[87,727,728],{"quality":89},[91,729,731],{"className":93,"code":730,"language":95,"meta":96,"style":96},"private static String IMAGE_DIRECTORY = localFile.getAbsolutePath();\n  public ParcelFileDescriptor openFile(Uri paramUri, String paramString)\n      throws FileNotFoundException {\n    File file = new File(IMAGE_DIRECTORY, Uri.parse(paramUri.getLastPathSegment()).getLastPathSegment());\n    return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY);\n  }\n",[43,732,733,751,770,775,806,816],{"__ignoreMap":96},[100,734,735,737,739,741,743,745,747,749],{"class":102,"line":103},[100,736,107],{"class":106},[100,738,110],{"class":106},[100,740,114],{"class":113},[100,742,118],{"class":117},[100,744,121],{"class":106},[100,746,124],{"class":117},[100,748,128],{"class":127},[100,750,131],{"class":117},[100,752,753,756,758,760,762,764,766,768],{"class":102,"line":134},[100,754,755],{"class":106},"  public",[100,757,140],{"class":113},[100,759,143],{"class":127},[100,761,146],{"class":117},[100,763,149],{"class":113},[100,765,152],{"class":117},[100,767,155],{"class":113},[100,769,158],{"class":117},[100,771,772],{"class":102,"line":161},[100,773,774],{"class":117},"      throws FileNotFoundException {\n",[100,776,777,780,782,784,786,788,791,794,797,799,802,804],{"class":102,"line":167},[100,778,779],{"class":113},"    File",[100,781,173],{"class":117},[100,783,121],{"class":106},[100,785,178],{"class":106},[100,787,181],{"class":127},[100,789,790],{"class":117},"(IMAGE_DIRECTORY, Uri.",[100,792,793],{"class":127},"parse",[100,795,796],{"class":117},"(paramUri.",[100,798,187],{"class":127},[100,800,801],{"class":117},"()).",[100,803,187],{"class":127},[100,805,190],{"class":117},[100,807,808,810,812,814],{"class":102,"line":193},[100,809,322],{"class":106},[100,811,199],{"class":117},[100,813,202],{"class":127},[100,815,205],{"class":117},[100,817,818],{"class":102,"line":208},[100,819,334],{"class":117},[39,821,822],{},"For example, consider what happens when the following URL encoded strings is passed to the content provider:",[39,824,825],{},[43,826,827],{},"..%2F..%2F..%2Fdata%2Fdata%2Fcom.example.android.app%2Fshared_prefs%2FExample.xml",[39,829,830,831,833],{},"The first call of ",[43,832,220],{}," will return the following string:",[39,835,836],{},[43,837,838],{},"..\u002F..\u002F..\u002Fdata\u002Fdata\u002Fcom.example.android.app\u002Fshared_prefs\u002FExample.xml",[39,840,841,842,845,846,848],{},"The string is converted to a Uri object by ",[43,843,844],{},"Uri.parse()"," , which is passed to the second call of ",[43,847,220],{}," . The resulting string will be:",[39,850,851],{},[43,852,853],{},"Example.xml",[39,855,856,857,859],{},"The string is used to create a file object. However, if an attacker could supply a string which cannot be decoded by the first call of the ",[43,858,220],{}," , the last path segment may not be retrieved. An attacker can create such a string by using the technique called double encoding:",[861,862,864],"h3",{"id":863},"double-encoding","Double Encoding",[39,866,867,868,872,873,877],{},"(See [ ",[55,869,871],{"href":870},"\u002Fsei-cert-oracle-coding-standard-for-java\u002Fback-matter\u002Frule-aa-references#RuleAA.References-OWASP09","OWASP 2009"," ] ",[55,874,864],{"href":875,"rel":876},"https:\u002F\u002Fwww.owasp.org\u002Findex.php\u002FDouble_Encoding",[64]," for more information.)",[39,879,880],{},"For example, the following double encoded string will circumvent the fix.",[39,882,883],{},[43,884,885],{},"%252E%252E%252F%252E%252E%252F%252E%252E%252Fdata%252Fdata%252Fcom.example.android.app%252Fshared_prefs%252FExample.xml",[39,887,830,888,890],{},[43,889,220],{}," will decode \"%25\" to \"%\" and return the string:",[39,892,893],{},[43,894,895],{},"%2E%2E%2F%2E%2E%2F%2E%2E%2Fdata%2Fdata%2Fcom.example.android.app%2Fshared_prefs%2FExample.xml",[39,897,898],{},"When this string is passed to the second Uri.getLastPathSegment(), \"%2E\" and \"%2F\" will be decoded and the result will be:",[39,900,901],{},[43,902,838],{},[39,904,905],{},"which makes directory traversal possible.",[39,907,908],{},"As a mitigation to the directory traversal attack in this example, it is not enough to only decode the strings. The decoded path must be checked to make sure that the path is under the intended directory.",[861,910,912],{"id":911},"proof-of-concept","Proof of Concept",[39,914,915],{},"The following malicious code can exploit the vulnerable application that contains the first noncompliant code example:",[91,917,919],{"className":93,"code":918,"language":95,"meta":96,"style":96},"String target = \"content:\u002F\u002Fcom.example.android.sdk.imageprovider\u002Fdata\u002F\" +\n  \"..%2F..%2F..%2Fdata%2Fdata%2Fcom.example.android.app%2Fshared_prefs%2FExample.xml\";\n\nContentResolver cr = this.getContentResolver();\nFileInputStream fis = (FileInputStream)cr.openInputStream(Uri.parse(target));\n\nbyte[] buff = new byte[fis.available()];\nin.read(buff);\n",[43,920,921,936,943,948,970,994,998,1022],{"__ignoreMap":96},[100,922,923,925,928,930,933],{"class":102,"line":103},[100,924,155],{"class":113},[100,926,927],{"class":117}," target ",[100,929,121],{"class":106},[100,931,932],{"class":510}," \"content:\u002F\u002Fcom.example.android.sdk.imageprovider\u002Fdata\u002F\"",[100,934,935],{"class":106}," +\n",[100,937,938,941],{"class":102,"line":134},[100,939,940],{"class":510},"  \"..%2F..%2F..%2Fdata%2Fdata%2Fcom.example.android.app%2Fshared_prefs%2FExample.xml\"",[100,942,328],{"class":117},[100,944,945],{"class":102,"line":161},[100,946,947],{"emptyLinePlaceholder":7},"\n",[100,949,950,953,956,958,962,965,968],{"class":102,"line":167},[100,951,952],{"class":113},"ContentResolver",[100,954,955],{"class":117}," cr ",[100,957,121],{"class":106},[100,959,961],{"class":960},"sP7S_"," this",[100,963,964],{"class":117},".",[100,966,967],{"class":127},"getContentResolver",[100,969,131],{"class":117},[100,971,972,975,978,980,983,986,989,991],{"class":102,"line":193},[100,973,974],{"class":113},"FileInputStream",[100,976,977],{"class":117}," fis ",[100,979,121],{"class":106},[100,981,982],{"class":117}," (FileInputStream)cr.",[100,984,985],{"class":127},"openInputStream",[100,987,988],{"class":117},"(Uri.",[100,990,793],{"class":127},[100,992,993],{"class":117},"(target));\n",[100,995,996],{"class":102,"line":208},[100,997,947],{"emptyLinePlaceholder":7},[100,999,1000,1003,1006,1008,1010,1013,1016,1019],{"class":102,"line":319},[100,1001,1002],{"class":270},"byte",[100,1004,1005],{"class":117},"[] buff ",[100,1007,121],{"class":106},[100,1009,178],{"class":106},[100,1011,1012],{"class":270}," byte",[100,1014,1015],{"class":117},"[fis.",[100,1017,1018],{"class":127},"available",[100,1020,1021],{"class":117},"()];\n",[100,1023,1024,1027,1030],{"class":102,"line":331},[100,1025,1026],{"class":117},"in.",[100,1028,1029],{"class":127},"read",[100,1031,1032],{"class":117},"(buff);\n",[861,1034,1036],{"id":1035},"proof-of-concept-double-encoding","Proof of Concept (Double Encoding)",[39,1038,1039],{},"The following malicious code can exploit the vulnerable application that contains the second noncompliant code example:",[91,1041,1043],{"className":93,"code":1042,"language":95,"meta":96,"style":96},"String target = \"content:\u002F\u002Fcom.example.android.sdk.imageprovider\u002Fdata\u002F\" +\n  \"%252E%252E%252F%252E%252E%252F%252E%252E%252Fdata%252Fdata%252Fcom.example.android.app%252Fshared_prefs%252FExample.xml\";\n\nContentResolver cr = this.getContentResolver();\nFileInputStream fis = (FileInputStream)cr.openInputStream(Uri.parse(target));\n\nbyte[] buff = new byte[fis.available()];\nin.read(buff);\n",[43,1044,1045,1057,1064,1068,1084,1102,1106,1124],{"__ignoreMap":96},[100,1046,1047,1049,1051,1053,1055],{"class":102,"line":103},[100,1048,155],{"class":113},[100,1050,927],{"class":117},[100,1052,121],{"class":106},[100,1054,932],{"class":510},[100,1056,935],{"class":106},[100,1058,1059,1062],{"class":102,"line":134},[100,1060,1061],{"class":510},"  \"%252E%252E%252F%252E%252E%252F%252E%252E%252Fdata%252Fdata%252Fcom.example.android.app%252Fshared_prefs%252FExample.xml\"",[100,1063,328],{"class":117},[100,1065,1066],{"class":102,"line":161},[100,1067,947],{"emptyLinePlaceholder":7},[100,1069,1070,1072,1074,1076,1078,1080,1082],{"class":102,"line":167},[100,1071,952],{"class":113},[100,1073,955],{"class":117},[100,1075,121],{"class":106},[100,1077,961],{"class":960},[100,1079,964],{"class":117},[100,1081,967],{"class":127},[100,1083,131],{"class":117},[100,1085,1086,1088,1090,1092,1094,1096,1098,1100],{"class":102,"line":193},[100,1087,974],{"class":113},[100,1089,977],{"class":117},[100,1091,121],{"class":106},[100,1093,982],{"class":117},[100,1095,985],{"class":127},[100,1097,988],{"class":117},[100,1099,793],{"class":127},[100,1101,993],{"class":117},[100,1103,1104],{"class":102,"line":208},[100,1105,947],{"emptyLinePlaceholder":7},[100,1107,1108,1110,1112,1114,1116,1118,1120,1122],{"class":102,"line":319},[100,1109,1002],{"class":270},[100,1111,1005],{"class":117},[100,1113,121],{"class":106},[100,1115,178],{"class":106},[100,1117,1012],{"class":270},[100,1119,1015],{"class":117},[100,1121,1018],{"class":127},[100,1123,1021],{"class":117},[100,1125,1126,1128,1130],{"class":102,"line":331},[100,1127,1026],{"class":117},[100,1129,1029],{"class":127},[100,1131,1032],{"class":117},[68,1133,1135],{"id":1134},"compliant-solution","Compliant Solution",[39,1137,1138,1139,1142,1143,1146,1147,66],{},"In the following compliant solution, a path is decoded by ",[43,1140,1141],{},"Uri.decode()"," before use. Also, after the File object is created, the path is canonicalized by calling ",[43,1144,1145],{},"File.getCanonicalPath()"," and checked that it is included in ",[43,1148,85],{},[39,1150,1151],{},"By using the canonicalized path, directory traversal will be mitigated even when a doubly-encoded path is supplied.",[87,1153,1155],{"quality":1154},"good",[91,1156,1158],{"className":93,"code":1157,"language":95,"meta":96,"style":96},"private static String IMAGE_DIRECTORY = localFile.getAbsolutePath();\n  public ParcelFileDescriptor openFile(Uri paramUri, String paramString)\n      throws FileNotFoundException {\n    String decodedUriString = Uri.decode(paramUri.toString());\n    File file = new File(IMAGE_DIRECTORY, Uri.parse(decodedUriString).getLastPathSegment());\n    if (file.getCanonicalPath().indexOf(localFile.getCanonicalPath()) != 0) {\n      throw new IllegalArgumentException();\n    }\n    return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY);\n  }\n",[43,1159,1160,1178,1196,1200,1222,1245,1274,1286,1290,1300],{"__ignoreMap":96},[100,1161,1162,1164,1166,1168,1170,1172,1174,1176],{"class":102,"line":103},[100,1163,107],{"class":106},[100,1165,110],{"class":106},[100,1167,114],{"class":113},[100,1169,118],{"class":117},[100,1171,121],{"class":106},[100,1173,124],{"class":117},[100,1175,128],{"class":127},[100,1177,131],{"class":117},[100,1179,1180,1182,1184,1186,1188,1190,1192,1194],{"class":102,"line":134},[100,1181,755],{"class":106},[100,1183,140],{"class":113},[100,1185,143],{"class":127},[100,1187,146],{"class":117},[100,1189,149],{"class":113},[100,1191,152],{"class":117},[100,1193,155],{"class":113},[100,1195,158],{"class":117},[100,1197,1198],{"class":102,"line":161},[100,1199,774],{"class":117},[100,1201,1202,1205,1208,1210,1213,1215,1217,1220],{"class":102,"line":167},[100,1203,1204],{"class":113},"    String",[100,1206,1207],{"class":117}," decodedUriString ",[100,1209,121],{"class":106},[100,1211,1212],{"class":117}," Uri.",[100,1214,651],{"class":127},[100,1216,796],{"class":117},[100,1218,1219],{"class":127},"toString",[100,1221,190],{"class":117},[100,1223,1224,1226,1228,1230,1232,1234,1236,1238,1241,1243],{"class":102,"line":193},[100,1225,779],{"class":113},[100,1227,173],{"class":117},[100,1229,121],{"class":106},[100,1231,178],{"class":106},[100,1233,181],{"class":127},[100,1235,790],{"class":117},[100,1237,793],{"class":127},[100,1239,1240],{"class":117},"(decodedUriString).",[100,1242,187],{"class":127},[100,1244,190],{"class":117},[100,1246,1247,1249,1252,1255,1258,1260,1263,1265,1268,1270,1272],{"class":102,"line":208},[100,1248,543],{"class":106},[100,1250,1251],{"class":117}," (file.",[100,1253,1254],{"class":127},"getCanonicalPath",[100,1256,1257],{"class":117},"().",[100,1259,505],{"class":127},[100,1261,1262],{"class":117},"(localFile.",[100,1264,1254],{"class":127},[100,1266,1267],{"class":117},"()) ",[100,1269,391],{"class":106},[100,1271,313],{"class":312},[100,1273,316],{"class":117},[100,1275,1276,1279,1281,1284],{"class":102,"line":319},[100,1277,1278],{"class":106},"      throw",[100,1280,178],{"class":106},[100,1282,1283],{"class":127}," IllegalArgumentException",[100,1285,131],{"class":117},[100,1287,1288],{"class":102,"line":331},[100,1289,592],{"class":117},[100,1291,1292,1294,1296,1298],{"class":102,"line":337},[100,1293,322],{"class":106},[100,1295,199],{"class":117},[100,1297,202],{"class":127},[100,1299,205],{"class":117},[100,1301,1302],{"class":102,"line":359},[100,1303,334],{"class":117},[68,1305,1307],{"id":1306},"applicability","Applicability",[39,1309,1310],{},"Applications should ensure that any URL received by a content provider is canonicalized to avoid a directory traversal attack.",[39,1312,1313,1314,59,1316,66],{},"This rule is special case of ",[55,1315,58],{"href":57},[55,1317,65],{"href":62,"rel":1318},[64],[68,1320,1322],{"id":1321},"risk-assessment","Risk Assessment",[39,1324,1325],{},"Failing to canonicalize a path received by a content provider may lead to a directory traversal vulnerability which could result in the release of sensitive data or in the malicious corruption of data.",[1327,1328,1329,1330,1329,1360],"table",{},"\n  ",[1331,1332,1333,1334,1329],"thead",{},"\n    ",[1335,1336,1337,1338,1337,1342,1337,1345,1337,1348,1337,1351,1337,1354,1337,1357,1333],"tr",{},"\n      ",[1339,1340,1341],"th",{},"Rule",[1339,1343,1344],{},"Severity",[1339,1346,1347],{},"Likelihood",[1339,1349,1350],{},"Detectable",[1339,1352,1353],{},"Repairable",[1339,1355,1356],{},"Priority",[1339,1358,1359],{},"Level",[1361,1362,1333,1363,1329],"tbody",{},[1335,1364,1337,1365,1337,1369,1337,1372,1337,1375,1337,1378,1337,1381,1337,1385,1333],{},[1366,1367,1368],"td",{},"DRD08-J",[1366,1370,1371],{},"High",[1366,1373,1374],{},"Probable",[1366,1376,1377],{},"Yes",[1366,1379,1380],{},"No",[1366,1382,1384],{"style":1383},"color: #e74c3c;","P12",[1366,1386,1387],{"style":1383},"L1",[68,1389,1391],{"id":1390},"automated-detection","Automated Detection",[39,1393,1394],{},"Automatic detection of the receipt of a URL is straightforward. It should also be feasible to automatically check whether the path has been canonicalized. However, if it has not, manual intervention would be required.",[39,1396,1397],{},"Tool",[39,1399,1400],{},"Version",[39,1402,1403],{},"Checker",[39,1405,1406],{},"Description",[68,1408,1410],{"id":1409},"related-vulnerabilities","Related Vulnerabilities",[1412,1413,1414],"ul",{},[1415,1416,1417,1422],"li",{},[55,1418,1421],{"href":1419,"rel":1420},"https:\u002F\u002Fjvn.jp\u002Fen\u002Fjp\u002FJVN78601526\u002F",[64],"JVN#78601526"," GREE for Android vulnerable to directory traversal",[68,1424,1426],{"id":1425},"bibliography","Bibliography",[1327,1428,1429,1437],{},[1331,1430,1431],{},[1335,1432,1433,1435],{},[1339,1434],{},[1339,1436],{},[1361,1438,1439],{},[1335,1440,1441,1447],{},[1366,1442,1443,1444,1446],{},"[ ",[55,1445,871],{"href":870}," ]",[1366,1448,1449],{},[55,1450,864],{"href":875,"rel":1451},[64],[1453,1454],"hr",{},[39,1456,1457,1464,1465,1464,1471],{},[55,1458,1460],{"href":1459},"https:\u002F\u002Fwww.securecoding.cert.org\u002Fconfluence\u002Fdisplay\u002Fjava\u002FDRD07-J.+Protect+exported+services+with+strong+permissions?showChildren=false&showComments=false",[1461,1462],"img",{"src":1463},"\u002Fattachments\u002F88487702\u002F88497198.png"," ",[55,1466,1468],{"href":1467},"https:\u002F\u002Fwww.securecoding.cert.org\u002Fconfluence\u002Fpages\u002Fviewpage.action?pageId=111509535",[1461,1469],{"src":1470},"\u002Fattachments\u002F88487702\u002F88497196.png",[55,1472,1474],{"href":1473},"https:\u002F\u002Fwww.securecoding.cert.org\u002Fconfluence\u002Fdisplay\u002Fjava\u002FDRD09-J%3A+Restrict+access+to+sensitive+activities?showChildren=false&showComments=false",[1461,1475],{"src":1476},"\u002Fattachments\u002F88487702\u002F88497197.png",[1478,1479,1480],"style",{},"html pre.shiki code .sC2Qs, html code.shiki .sC2Qs{--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sk8M1, html code.shiki .sk8M1{--shiki-default:#24292E;--shiki-default-font-style:inherit;--shiki-dark:#E1E4E8;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sMOD_, html code.shiki .sMOD_{--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .srTi1, html code.shiki .srTi1{--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .s8-w5, html code.shiki .s8-w5{--shiki-default:#6A737D;--shiki-dark:#6A737D;--shiki-sepia:#88846F}html pre.shiki code .sq6CD, html code.shiki .sq6CD{--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .s7F3e, html code.shiki .s7F3e{--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sstjo, html code.shiki .sstjo{--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sP7S_, html code.shiki .sP7S_{--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#FD971F}",{"title":96,"searchDepth":134,"depth":134,"links":1482},[1483,1484,1489,1490,1491,1492,1493,1494],{"id":70,"depth":134,"text":71},{"id":718,"depth":134,"text":719,"children":1485},[1486,1487,1488],{"id":863,"depth":161,"text":864},{"id":911,"depth":161,"text":912},{"id":1035,"depth":161,"text":1036},{"id":1134,"depth":134,"text":1135},{"id":1306,"depth":134,"text":1307},{"id":1321,"depth":134,"text":1322},{"id":1390,"depth":134,"text":1391},{"id":1409,"depth":134,"text":1410},{"id":1425,"depth":134,"text":1426},"By using the ContentProvider.openFile() method, you can provide a facility for another application to access your application data (file). Depending on the implementation of ContentProvider , use of the method can lead to a directory traversal vulnerability. Therefore, when exchanging a file through a content provider, the path should be canonicalized before it is used.","md",{"tags":1498},[1499,1500,1501,1502],"android-applicable","cps","drd","rule","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcomponent-security-cps\u002Fdrd08-j",{"title":30,"description":1495},"3.android-secure-coding-standard\u002F3.rules\u002F04.component-security-cps\u002F4.drd08-j","vgs96wVSn0MHYT8qJqYKFC9Lm-GuTaQp81Lhw4Owm-c",[1508,1512],{"title":1509,"path":1510,"stem":1511,"children":-1},"DRD07-X. Protect exported services with strong permissions","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcomponent-security-cps\u002Fdrd07-x","3.android-secure-coding-standard\u002F3.rules\u002F04.component-security-cps\u002F3.drd07-x",{"title":1513,"path":1514,"stem":1515,"children":-1},"DRD09. Restrict access to sensitive activities","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcomponent-security-cps\u002Fdrd09-restrict-access-to-sensitive-activities","3.android-secure-coding-standard\u002F3.rules\u002F04.component-security-cps\u002F5.drd09-restrict-access-to-sensitive-activities",[1517],{"title":1518,"path":1519,"stem":1520,"children":1521},"SCI CERT Android Secure Coding Standard","\u002Fandroid-secure-coding-standard","3.android-secure-coding-standard\u002F1.index",[1522,1523,1573,1830,1927,1989,2013],{"title":1518,"path":1519,"stem":1520},{"title":1524,"path":1525,"stem":1526,"children":1527},"Front Matter","\u002Fandroid-secure-coding-standard\u002Ffront-matter","3.android-secure-coding-standard\u002F2.front-matter\u002F1.index",[1528,1529,1551],{"title":1524,"path":1525,"stem":1526},{"title":1530,"path":1531,"stem":1532,"children":1533},"Guidelines for Wiki Contributors","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fguidelines-for-wiki-contributors","3.android-secure-coding-standard\u002F2.front-matter\u002F2.guidelines-for-wiki-contributors\u002F1.index",[1534,1535,1539,1543,1547],{"title":1530,"path":1531,"stem":1532},{"title":1536,"path":1537,"stem":1538},"Deprecations","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fguidelines-for-wiki-contributors\u002Fdeprecations","3.android-secure-coding-standard\u002F2.front-matter\u002F2.guidelines-for-wiki-contributors\u002F2.deprecations",{"title":1540,"path":1541,"stem":1542},"Editing Automated Detection Information","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fguidelines-for-wiki-contributors\u002Fediting-automated-detection-information","3.android-secure-coding-standard\u002F2.front-matter\u002F2.guidelines-for-wiki-contributors\u002F3.editing-automated-detection-information",{"title":1544,"path":1545,"stem":1546},"Editing-Related Guidelines","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fguidelines-for-wiki-contributors\u002Fediting-related-guidelines","3.android-secure-coding-standard\u002F2.front-matter\u002F2.guidelines-for-wiki-contributors\u002F4.editing-related-guidelines",{"title":1548,"path":1549,"stem":1550},"Rules versus Recommendations","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fguidelines-for-wiki-contributors\u002Frules-versus-recommendations","3.android-secure-coding-standard\u002F2.front-matter\u002F2.guidelines-for-wiki-contributors\u002F5.rules-versus-recommendations",{"title":1552,"path":1553,"stem":1554,"children":1555},"Introduction","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fintroduction","3.android-secure-coding-standard\u002F2.front-matter\u002F3.introduction\u002F01.index",[1556,1557,1561,1565,1569],{"title":1552,"path":1553,"stem":1554},{"title":1558,"path":1559,"stem":1560},"Introduction to Android-Only Rules","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fintroduction\u002Fintroduction-to-android-only-rules","3.android-secure-coding-standard\u002F2.front-matter\u002F3.introduction\u002F02.introduction-to-android-only-rules",{"title":1562,"path":1563,"stem":1564},"Introduction to C Rules and Recommendations","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fintroduction\u002Fintroduction-to-c-rules-and-recommendations","3.android-secure-coding-standard\u002F2.front-matter\u002F3.introduction\u002F03.introduction-to-c-rules-and-recommendations",{"title":1566,"path":1567,"stem":1568},"Introduction to Java Recommendations","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fintroduction\u002Fintroduction-to-java-recommendations","3.android-secure-coding-standard\u002F2.front-matter\u002F3.introduction\u002F04.introduction-to-java-recommendations",{"title":1570,"path":1571,"stem":1572},"Introduction to Java Rules","\u002Fandroid-secure-coding-standard\u002Ffront-matter\u002Fintroduction\u002Fintroduction-to-java-rules","3.android-secure-coding-standard\u002F2.front-matter\u002F3.introduction\u002F05.introduction-to-java-rules",{"title":1574,"path":1575,"stem":1576,"children":1577},"Rules","\u002Fandroid-secure-coding-standard\u002Frules","3.android-secure-coding-standard\u002F3.rules\u002F01.index",[1578,1579,1583,1587,1600,1604,1626,1630,1634,1638,1642,1672,1676,1680,1684,1702,1706,1710,1714,1718,1744,1758,1762,1766,1788,1792,1796,1800,1804,1808,1812],{"title":1574,"path":1575,"stem":1576},{"title":1580,"path":1581,"stem":1582},"Application Programming Interfaces (API)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fapplication-programming-interfaces-api","3.android-secure-coding-standard\u002F3.rules\u002F02.application-programming-interfaces-api",{"title":1584,"path":1585,"stem":1586},"Characters and String (STR)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcharacters-and-string-str","3.android-secure-coding-standard\u002F3.rules\u002F03.characters-and-string-str",{"title":1588,"path":1589,"stem":1590,"children":1591},"Component Security (CPS)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcomponent-security-cps","3.android-secure-coding-standard\u002F3.rules\u002F04.component-security-cps\u002F1.index",[1592,1593,1597,1598,1599],{"title":1588,"path":1589,"stem":1590},{"title":1594,"path":1595,"stem":1596},"DRD01-X. Limit the accessibility of an app's sensitive content provider","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcomponent-security-cps\u002Fdrd01-x","3.android-secure-coding-standard\u002F3.rules\u002F04.component-security-cps\u002F2.drd01-x",{"title":1509,"path":1510,"stem":1511},{"title":30,"path":1503,"stem":1505},{"title":1513,"path":1514,"stem":1515},{"title":1601,"path":1602,"stem":1603},"Concurrency (CON)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fconcurrency-con","3.android-secure-coding-standard\u002F3.rules\u002F05.concurrency-con",{"title":1605,"path":1606,"stem":1607,"children":1608},"Cryptography (CRP)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcryptography-crp","3.android-secure-coding-standard\u002F3.rules\u002F06.cryptography-crp\u002F1.index",[1609,1610,1614,1618,1622],{"title":1605,"path":1606,"stem":1607},{"title":1611,"path":1612,"stem":1613},"DRD17-J. Do not use the Android cryptographic security provider encryption default for AES","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcryptography-crp\u002Fdrd17-j","3.android-secure-coding-standard\u002F3.rules\u002F06.cryptography-crp\u002F2.drd17-j",{"title":1615,"path":1616,"stem":1617},"DRD18. Do not use the default behavior in a cryptographic library if it does not use recommended practices","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcryptography-crp\u002Fdrd18-do-not-use-the-default-behavior-in-a-cryptographic-library-if-it-does-not-use-recommended-practices","3.android-secure-coding-standard\u002F3.rules\u002F06.cryptography-crp\u002F3.drd18-do-not-use-the-default-behavior-in-a-cryptographic-library-if-it-does-not-use-recommended-practices",{"title":1619,"path":1620,"stem":1621},"DRD24. Do not bundle OAuth security-related protocol logic or sensitive data into a relying party's app","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcryptography-crp\u002Fdrd24-do-not-bundle-oauth-security-related-protocol-logic-or-sensitive-data-into-a-relying-partys-app","3.android-secure-coding-standard\u002F3.rules\u002F06.cryptography-crp\u002F4.drd24-do-not-bundle-oauth-security-related-protocol-logic-or-sensitive-data-into-a-relying-partys-app",{"title":1623,"path":1624,"stem":1625},"DRD25. Use constant-time encryption","\u002Fandroid-secure-coding-standard\u002Frules\u002Fcryptography-crp\u002Fdrd25-use-constant-time-encryption","3.android-secure-coding-standard\u002F3.rules\u002F06.cryptography-crp\u002F5.drd25-use-constant-time-encryption",{"title":1627,"path":1628,"stem":1629},"Declarations and Initialization (DCL)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fdeclarations-and-initialization-dcl","3.android-secure-coding-standard\u002F3.rules\u002F07.declarations-and-initialization-dcl",{"title":1631,"path":1632,"stem":1633},"Environment (ENV)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fenvironment-env","3.android-secure-coding-standard\u002F3.rules\u002F08.environment-env",{"title":1635,"path":1636,"stem":1637},"Error Handling (ERR)","\u002Fandroid-secure-coding-standard\u002Frules\u002Ferror-handling-err","3.android-secure-coding-standard\u002F3.rules\u002F09.error-handling-err",{"title":1639,"path":1640,"stem":1641},"Expressions (EXP)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fexpressions-exp","3.android-secure-coding-standard\u002F3.rules\u002F10.expressions-exp",{"title":1643,"path":1644,"stem":1645,"children":1646},"File I\u002FO and Logging (FIO)","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffile-io-and-logging-fio","3.android-secure-coding-standard\u002F3.rules\u002F11.file-io-and-logging-fio\u002F1.index",[1647,1648,1652,1656,1660,1664,1668],{"title":1643,"path":1644,"stem":1645},{"title":1649,"path":1650,"stem":1651},"DRD04-J. Do not log sensitive information","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffile-io-and-logging-fio\u002Fdrd04-j","3.android-secure-coding-standard\u002F3.rules\u002F11.file-io-and-logging-fio\u002F2.drd04-j",{"title":1653,"path":1654,"stem":1655},"DRD00. Do not store sensitive information on external storage (SD card) unless encrypted first","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffile-io-and-logging-fio\u002Fdrd00-do-not-store-sensitive-information-on-external-storage-sd-card-unless-encrypted-first","3.android-secure-coding-standard\u002F3.rules\u002F11.file-io-and-logging-fio\u002F3.drd00-do-not-store-sensitive-information-on-external-storage-sd-card-unless-encrypted-first",{"title":1657,"path":1658,"stem":1659},"DRD11. Ensure that sensitive data is kept secure","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffile-io-and-logging-fio\u002Fdrd11-ensure-that-sensitive-data-is-kept-secure","3.android-secure-coding-standard\u002F3.rules\u002F11.file-io-and-logging-fio\u002F4.drd11-ensure-that-sensitive-data-is-kept-secure",{"title":1661,"path":1662,"stem":1663},"DRD12. Do not trust data from world-writable files","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffile-io-and-logging-fio\u002Fdrd12-do-not-trust-data-from-world-writable-files","3.android-secure-coding-standard\u002F3.rules\u002F11.file-io-and-logging-fio\u002F5.drd12-do-not-trust-data-from-world-writable-files",{"title":1665,"path":1666,"stem":1667},"DRD23. Do not use world readable or writeable to share files between apps","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffile-io-and-logging-fio\u002Fdrd23-do-not-use-world-readable-or-writeable-to-share-files-between-apps","3.android-secure-coding-standard\u002F3.rules\u002F11.file-io-and-logging-fio\u002F6.drd23-do-not-use-world-readable-or-writeable-to-share-files-between-apps",{"title":1669,"path":1670,"stem":1671},"DRD28 Do not load world-writable libraries","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffile-io-and-logging-fio\u002Fdrd28-do-not-load-world-writable-libraries","3.android-secure-coding-standard\u002F3.rules\u002F11.file-io-and-logging-fio\u002F7.drd28-do-not-load-world-writable-libraries",{"title":1673,"path":1674,"stem":1675},"Floating Point (FLP)","\u002Fandroid-secure-coding-standard\u002Frules\u002Ffloating-point-flp","3.android-secure-coding-standard\u002F3.rules\u002F12.floating-point-flp",{"title":1677,"path":1678,"stem":1679},"Input Validation and Data Sanitization (IDS)","\u002Fandroid-secure-coding-standard\u002Frules\u002Finput-validation-and-data-sanitization-ids","3.android-secure-coding-standard\u002F3.rules\u002F13.input-validation-and-data-sanitization-ids",{"title":1681,"path":1682,"stem":1683},"Integers (INT)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fintegers-int","3.android-secure-coding-standard\u002F3.rules\u002F14.integers-int",{"title":1685,"path":1686,"stem":1687,"children":1688},"Intent (ITT)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fintent-itt","3.android-secure-coding-standard\u002F3.rules\u002F15.intent-itt\u002F1.index",[1689,1690,1694,1698],{"title":1685,"path":1686,"stem":1687},{"title":1691,"path":1692,"stem":1693},"DRD03-J. Do not broadcast sensitive information using an implicit intent","\u002Fandroid-secure-coding-standard\u002Frules\u002Fintent-itt\u002Fdrd03-j","3.android-secure-coding-standard\u002F3.rules\u002F15.intent-itt\u002F2.drd03-j",{"title":1695,"path":1696,"stem":1697},"DRD21-J. Always pass explicit intents to a PendingIntent","\u002Fandroid-secure-coding-standard\u002Frules\u002Fintent-itt\u002Fdrd21-j","3.android-secure-coding-standard\u002F3.rules\u002F15.intent-itt\u002F3.drd21-j",{"title":1699,"path":1700,"stem":1701},"DRD06. Verify the caller of intents before acting on them","\u002Fandroid-secure-coding-standard\u002Frules\u002Fintent-itt\u002Fdrd06-verify-the-caller-of-intents-before-acting-on-them","3.android-secure-coding-standard\u002F3.rules\u002F15.intent-itt\u002F4.drd06-verify-the-caller-of-intents-before-acting-on-them",{"title":1703,"path":1704,"stem":1705},"Java Native Interface (JNI)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fjava-native-interface-jni","3.android-secure-coding-standard\u002F3.rules\u002F16.java-native-interface-jni",{"title":1707,"path":1708,"stem":1709},"Locking (LCK)","\u002Fandroid-secure-coding-standard\u002Frules\u002Flocking-lck","3.android-secure-coding-standard\u002F3.rules\u002F17.locking-lck",{"title":1711,"path":1712,"stem":1713},"Memory Management (MEM)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmemory-management-mem","3.android-secure-coding-standard\u002F3.rules\u002F18.memory-management-mem",{"title":1715,"path":1716,"stem":1717},"Methods (MET)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmethods-met","3.android-secure-coding-standard\u002F3.rules\u002F19.methods-met",{"title":1719,"path":1720,"stem":1721,"children":1722},"Miscellaneous (MSC)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmiscellaneous-msc","3.android-secure-coding-standard\u002F3.rules\u002F20.miscellaneous-msc\u002F1.index",[1723,1724,1728,1732,1736,1740],{"title":1719,"path":1720,"stem":1721},{"title":1725,"path":1726,"stem":1727},"DRD10-X. Do not release apps that are debuggable","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmiscellaneous-msc\u002Fdrd10-x","3.android-secure-coding-standard\u002F3.rules\u002F20.miscellaneous-msc\u002F2.drd10-x",{"title":1729,"path":1730,"stem":1731},"DRD15-J. Consider privacy concerns when using Geolocation API","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmiscellaneous-msc\u002Fdrd15-j","3.android-secure-coding-standard\u002F3.rules\u002F20.miscellaneous-msc\u002F3.drd15-j",{"title":1733,"path":1734,"stem":1735},"DRD26-J. For OAuth, use a secure Android method to deliver access tokens","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmiscellaneous-msc\u002Fdrd26-j","3.android-secure-coding-standard\u002F3.rules\u002F20.miscellaneous-msc\u002F4.drd26-j",{"title":1737,"path":1738,"stem":1739},"DRD27-J. For OAuth, use an explicit intent method to deliver access tokens","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmiscellaneous-msc\u002Fdrd27-j","3.android-secure-coding-standard\u002F3.rules\u002F20.miscellaneous-msc\u002F5.drd27-j",{"title":1741,"path":1742,"stem":1743},"DRD25. To request user permission for OAuth, identify relying party and its permissions scope","\u002Fandroid-secure-coding-standard\u002Frules\u002Fmiscellaneous-msc\u002Fdrd25-to-request-user-permission-for-oauth-identify-relying-party-and-its-permissions-scope","3.android-secure-coding-standard\u002F3.rules\u002F20.miscellaneous-msc\u002F6.drd25-to-request-user-permission-for-oauth-identify-relying-party-and-its-permissions-scope",{"title":1745,"path":1746,"stem":1747,"children":1748},"Network - SSL\u002FTLS (NET)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fnetwork-ssltls-net","3.android-secure-coding-standard\u002F3.rules\u002F21.network-ssltls-net\u002F1.index",[1749,1750,1754],{"title":1745,"path":1746,"stem":1747},{"title":1751,"path":1752,"stem":1753},"DRD23-J. Do not use loopback when handling sensitive data","\u002Fandroid-secure-coding-standard\u002Frules\u002Fnetwork-ssltls-net\u002Fdrd23-j","3.android-secure-coding-standard\u002F3.rules\u002F21.network-ssltls-net\u002F2.drd23-j",{"title":1755,"path":1756,"stem":1757},"DRD19. Properly verify server certificate on SSL\u002FTLS","\u002Fandroid-secure-coding-standard\u002Frules\u002Fnetwork-ssltls-net\u002Fdrd19-properly-verify-server-certificate-on-ssltls","3.android-secure-coding-standard\u002F3.rules\u002F21.network-ssltls-net\u002F3.drd19-properly-verify-server-certificate-on-ssltls",{"title":1759,"path":1760,"stem":1761},"Numeric Types and Operations (NUM)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fnumeric-types-and-operations-num","3.android-secure-coding-standard\u002F3.rules\u002F22.numeric-types-and-operations-num",{"title":1763,"path":1764,"stem":1765},"Object Orientation (OBJ)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fobject-orientation-obj","3.android-secure-coding-standard\u002F3.rules\u002F23.object-orientation-obj",{"title":1767,"path":1768,"stem":1769,"children":1770},"Permission (PER)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fpermission-per","3.android-secure-coding-standard\u002F3.rules\u002F24.permission-per\u002F1.index",[1771,1772,1776,1780,1784],{"title":1767,"path":1768,"stem":1769},{"title":1773,"path":1774,"stem":1775},"DRD05-J. Do not grant URI permissions on implicit intents","\u002Fandroid-secure-coding-standard\u002Frules\u002Fpermission-per\u002Fdrd05-j","3.android-secure-coding-standard\u002F3.rules\u002F24.permission-per\u002F2.drd05-j",{"title":1777,"path":1778,"stem":1779},"DRD14-J. Check that a calling app has appropriate permissions before responding","\u002Fandroid-secure-coding-standard\u002Frules\u002Fpermission-per\u002Fdrd14-j","3.android-secure-coding-standard\u002F3.rules\u002F24.permission-per\u002F3.drd14-j",{"title":1781,"path":1782,"stem":1783},"DRD16-X. Explicitly define the exported attribute for private components","\u002Fandroid-secure-coding-standard\u002Frules\u002Fpermission-per\u002Fdrd16-x","3.android-secure-coding-standard\u002F3.rules\u002F24.permission-per\u002F4.drd16-x",{"title":1785,"path":1786,"stem":1787},"DRD20-C. Specify permissions when creating files via the NDK","\u002Fandroid-secure-coding-standard\u002Frules\u002Fpermission-per\u002Fdrd20-c","3.android-secure-coding-standard\u002F3.rules\u002F24.permission-per\u002F5.drd20-c",{"title":1789,"path":1790,"stem":1791},"Platform Security (SEC)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fplatform-security-sec","3.android-secure-coding-standard\u002F3.rules\u002F25.platform-security-sec",{"title":1793,"path":1794,"stem":1795},"Preprocessor (PRE)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fpreprocessor-pre","3.android-secure-coding-standard\u002F3.rules\u002F26.preprocessor-pre",{"title":1797,"path":1798,"stem":1799},"Serialization (SER)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fserialization-ser","3.android-secure-coding-standard\u002F3.rules\u002F27.serialization-ser",{"title":1801,"path":1802,"stem":1803},"Thread APIs (THI)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fthread-apis-thi","3.android-secure-coding-standard\u002F3.rules\u002F28.thread-apis-thi",{"title":1805,"path":1806,"stem":1807},"Thread-Safety Miscellaneous (TSM)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fthread-safety-miscellaneous-tsm","3.android-secure-coding-standard\u002F3.rules\u002F29.thread-safety-miscellaneous-tsm",{"title":1809,"path":1810,"stem":1811},"Visibility and Atomicity (VNA)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fvisibility-and-atomicity-vna","3.android-secure-coding-standard\u002F3.rules\u002F30.visibility-and-atomicity-vna",{"title":1813,"path":1814,"stem":1815,"children":1816},"WebView (WBV)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fwebview-wbv","3.android-secure-coding-standard\u002F3.rules\u002F31.webview-wbv\u002F1.index",[1817,1818,1822,1826],{"title":1813,"path":1814,"stem":1815},{"title":1819,"path":1820,"stem":1821},"DRD02-J. Do not allow WebView to access sensitive local resource through file scheme","\u002Fandroid-secure-coding-standard\u002Frules\u002Fwebview-wbv\u002Fdrd02-j","3.android-secure-coding-standard\u002F3.rules\u002F31.webview-wbv\u002F2.drd02-j",{"title":1823,"path":1824,"stem":1825},"DRD13. Do not provide addJavascriptInterface method access in a WebView which could contain untrusted content. (API level JELLY_BEAN or below)","\u002Fandroid-secure-coding-standard\u002Frules\u002Fwebview-wbv\u002Fdrd13-do-not-provide-addjavascriptinterface-method-access-in-a-webview-which-could-contain-untrusted-content-api-level-jelly_bean-or-below","3.android-secure-coding-standard\u002F3.rules\u002F31.webview-wbv\u002F3.drd13-do-not-provide-addjavascriptinterface-method-access-in-a-webview-which-could-contain-untrusted-content-api-level-jelly_bean-or-below",{"title":1827,"path":1828,"stem":1829},"DRD22. Do not cache sensitive information","\u002Fandroid-secure-coding-standard\u002Frules\u002Fwebview-wbv\u002Fdrd22-do-not-cache-sensitive-information","3.android-secure-coding-standard\u002F3.rules\u002F31.webview-wbv\u002F4.drd22-do-not-cache-sensitive-information",{"title":1831,"path":1832,"stem":1833,"children":1834},"Recommendations","\u002Fandroid-secure-coding-standard\u002Frecommendations","3.android-secure-coding-standard\u002F4.recommendations\u002F01.index",[1835,1836,1839,1843,1846,1849,1852,1855,1858,1861,1864,1867,1870,1873,1876,1879,1882,1885,1888,1891,1894,1897,1900,1903,1906,1909,1912,1915,1918,1921,1924],{"title":1831,"path":1832,"stem":1833},{"title":1580,"path":1837,"stem":1838},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fapplication-programming-interfaces-api","3.android-secure-coding-standard\u002F4.recommendations\u002F02.application-programming-interfaces-api",{"title":1840,"path":1841,"stem":1842},"Characters and Strings (STR)","\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fcharacters-and-strings-str","3.android-secure-coding-standard\u002F4.recommendations\u002F03.characters-and-strings-str",{"title":1588,"path":1844,"stem":1845},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fcomponent-security-cps","3.android-secure-coding-standard\u002F4.recommendations\u002F04.component-security-cps",{"title":1601,"path":1847,"stem":1848},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fconcurrency-con","3.android-secure-coding-standard\u002F4.recommendations\u002F05.concurrency-con",{"title":1605,"path":1850,"stem":1851},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fcryptography-crp","3.android-secure-coding-standard\u002F4.recommendations\u002F06.cryptography-crp",{"title":1627,"path":1853,"stem":1854},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fdeclarations-and-initialization-dcl","3.android-secure-coding-standard\u002F4.recommendations\u002F07.declarations-and-initialization-dcl",{"title":1631,"path":1856,"stem":1857},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fenvironment-env","3.android-secure-coding-standard\u002F4.recommendations\u002F08.environment-env",{"title":1635,"path":1859,"stem":1860},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Ferror-handling-err","3.android-secure-coding-standard\u002F4.recommendations\u002F09.error-handling-err",{"title":1639,"path":1862,"stem":1863},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fexpressions-exp","3.android-secure-coding-standard\u002F4.recommendations\u002F10.expressions-exp",{"title":1643,"path":1865,"stem":1866},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Ffile-io-and-logging-fio","3.android-secure-coding-standard\u002F4.recommendations\u002F11.file-io-and-logging-fio",{"title":1673,"path":1868,"stem":1869},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Ffloating-point-flp","3.android-secure-coding-standard\u002F4.recommendations\u002F12.floating-point-flp",{"title":1677,"path":1871,"stem":1872},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Finput-validation-and-data-sanitization-ids","3.android-secure-coding-standard\u002F4.recommendations\u002F13.input-validation-and-data-sanitization-ids",{"title":1681,"path":1874,"stem":1875},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fintegers-int","3.android-secure-coding-standard\u002F4.recommendations\u002F14.integers-int",{"title":1685,"path":1877,"stem":1878},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fintent-itt","3.android-secure-coding-standard\u002F4.recommendations\u002F15.intent-itt",{"title":1703,"path":1880,"stem":1881},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fjava-native-interface-jni","3.android-secure-coding-standard\u002F4.recommendations\u002F16.java-native-interface-jni",{"title":1707,"path":1883,"stem":1884},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Flocking-lck","3.android-secure-coding-standard\u002F4.recommendations\u002F17.locking-lck",{"title":1711,"path":1886,"stem":1887},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fmemory-management-mem","3.android-secure-coding-standard\u002F4.recommendations\u002F18.memory-management-mem",{"title":1715,"path":1889,"stem":1890},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fmethods-met","3.android-secure-coding-standard\u002F4.recommendations\u002F19.methods-met",{"title":1719,"path":1892,"stem":1893},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fmiscellaneous-msc","3.android-secure-coding-standard\u002F4.recommendations\u002F20.miscellaneous-msc",{"title":1745,"path":1895,"stem":1896},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fnetwork-ssltls-net","3.android-secure-coding-standard\u002F4.recommendations\u002F21.network-ssltls-net",{"title":1759,"path":1898,"stem":1899},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fnumeric-types-and-operations-num","3.android-secure-coding-standard\u002F4.recommendations\u002F22.numeric-types-and-operations-num",{"title":1763,"path":1901,"stem":1902},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fobject-orientation-obj","3.android-secure-coding-standard\u002F4.recommendations\u002F23.object-orientation-obj",{"title":1767,"path":1904,"stem":1905},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fpermission-per","3.android-secure-coding-standard\u002F4.recommendations\u002F24.permission-per",{"title":1789,"path":1907,"stem":1908},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fplatform-security-sec","3.android-secure-coding-standard\u002F4.recommendations\u002F25.platform-security-sec",{"title":1793,"path":1910,"stem":1911},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fpreprocessor-pre","3.android-secure-coding-standard\u002F4.recommendations\u002F26.preprocessor-pre",{"title":1797,"path":1913,"stem":1914},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fserialization-ser","3.android-secure-coding-standard\u002F4.recommendations\u002F27.serialization-ser",{"title":1801,"path":1916,"stem":1917},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fthread-apis-thi","3.android-secure-coding-standard\u002F4.recommendations\u002F28.thread-apis-thi",{"title":1805,"path":1919,"stem":1920},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fthread-safety-miscellaneous-tsm","3.android-secure-coding-standard\u002F4.recommendations\u002F29.thread-safety-miscellaneous-tsm",{"title":1809,"path":1922,"stem":1923},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fvisibility-and-atomicity-vna","3.android-secure-coding-standard\u002F4.recommendations\u002F30.visibility-and-atomicity-vna",{"title":1813,"path":1925,"stem":1926},"\u002Fandroid-secure-coding-standard\u002Frecommendations\u002Fwebview-wbv","3.android-secure-coding-standard\u002F4.recommendations\u002F31.webview-wbv",{"title":1928,"path":1929,"stem":1930,"children":1931},"By Language","\u002Fandroid-secure-coding-standard\u002Fby-language","3.android-secure-coding-standard\u002F5.by-language\u002F1.index",[1932,1933,1937,1959,1963,1985],{"title":1928,"path":1929,"stem":1930},{"title":1934,"path":1935,"stem":1936},"Android Only","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fandroid-only","3.android-secure-coding-standard\u002F5.by-language\u002F2.android-only",{"title":1938,"path":1939,"stem":1940,"children":1941},"C Coding Language","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fc-coding-language","3.android-secure-coding-standard\u002F5.by-language\u002F3.c-coding-language\u002F1.index",[1942,1943,1947,1951,1955],{"title":1938,"path":1939,"stem":1940},{"title":1944,"path":1945,"stem":1946},"Applicable in Principle to Android (C Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fc-coding-language\u002Fapplicable-in-principle-to-android-c-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F3.c-coding-language\u002F2.applicable-in-principle-to-android-c-rulesrecomendations",{"title":1948,"path":1949,"stem":1950},"Applicable to Android (C Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fc-coding-language\u002Fapplicable-to-android-c-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F3.c-coding-language\u002F3.applicable-to-android-c-rulesrecomendations",{"title":1952,"path":1953,"stem":1954},"Not Applicable to Android (C Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fc-coding-language\u002Fnot-applicable-to-android-c-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F3.c-coding-language\u002F4.not-applicable-to-android-c-rulesrecomendations",{"title":1956,"path":1957,"stem":1958},"Unknown Applicability (C Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fc-coding-language\u002Funknown-applicability-c-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F3.c-coding-language\u002F5.unknown-applicability-c-rulesrecomendations",{"title":1960,"path":1961,"stem":1962},"C++ Coding Language","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fcpp-coding-language","3.android-secure-coding-standard\u002F5.by-language\u002F4.cpp-coding-language",{"title":1964,"path":1965,"stem":1966,"children":1967},"Java Coding Language","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fjava-coding-language","3.android-secure-coding-standard\u002F5.by-language\u002F5.java-coding-language\u002F1.index",[1968,1969,1973,1977,1981],{"title":1964,"path":1965,"stem":1966},{"title":1970,"path":1971,"stem":1972},"Applicable in Principle to Android (Java Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fjava-coding-language\u002Fapplicable-in-principle-to-android-java-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F5.java-coding-language\u002F2.applicable-in-principle-to-android-java-rulesrecomendations",{"title":1974,"path":1975,"stem":1976},"Applicable to Android (Java Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fjava-coding-language\u002Fapplicable-to-android-java-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F5.java-coding-language\u002F3.applicable-to-android-java-rulesrecomendations",{"title":1978,"path":1979,"stem":1980},"Not Applicable to Android (Java Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fjava-coding-language\u002Fnot-applicable-to-android-java-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F5.java-coding-language\u002F4.not-applicable-to-android-java-rulesrecomendations",{"title":1982,"path":1983,"stem":1984},"Unknown Applicability to Android (Java Rules\u002FRecomendations)","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fjava-coding-language\u002Funknown-applicability-to-android-java-rulesrecomendations","3.android-secure-coding-standard\u002F5.by-language\u002F5.java-coding-language\u002F5.unknown-applicability-to-android-java-rulesrecomendations",{"title":1986,"path":1987,"stem":1988},"XML","\u002Fandroid-secure-coding-standard\u002Fby-language\u002Fxml","3.android-secure-coding-standard\u002F5.by-language\u002F6.xml",{"title":1990,"path":1991,"stem":1992,"children":1993},"Back Matter","\u002Fandroid-secure-coding-standard\u002Fback-matter","3.android-secure-coding-standard\u002F6.back-matter\u002F1.index",[1994,1995,1999],{"title":1990,"path":1991,"stem":1992},{"title":1996,"path":1997,"stem":1998},"AA. Bibliography","\u002Fandroid-secure-coding-standard\u002Fback-matter\u002Faa-bibliography","3.android-secure-coding-standard\u002F6.back-matter\u002F2.aa-bibliography",{"title":2000,"path":2001,"stem":2002,"children":2003},"BB. Analyzers","\u002Fandroid-secure-coding-standard\u002Fback-matter\u002Fbb-analyzers","3.android-secure-coding-standard\u002F6.back-matter\u002F3.bb-analyzers\u002F1.index",[2004,2005,2009],{"title":2000,"path":2001,"stem":2002},{"title":2006,"path":2007,"stem":2008},"CodeSonar","\u002Fandroid-secure-coding-standard\u002Fback-matter\u002Fbb-analyzers\u002Fcodesonar","3.android-secure-coding-standard\u002F6.back-matter\u002F3.bb-analyzers\u002F2.codesonar",{"title":2010,"path":2011,"stem":2012},"CodeSonar_V","\u002Fandroid-secure-coding-standard\u002Fback-matter\u002Fbb-analyzers\u002Fcodesonar_v","3.android-secure-coding-standard\u002F6.back-matter\u002F3.bb-analyzers\u002F3.codesonar_v",{"title":2014,"path":2015,"stem":2016,"children":2017},"Admin","\u002Fandroid-secure-coding-standard\u002Fadmin","3.android-secure-coding-standard\u002F7.admin\u002F01.index",[2018,2019,2023,2027,2031,2035,2039,2043,2047,2051,2055,2059,2063,2067,2071,2075],{"title":2014,"path":2015,"stem":2016},{"title":2020,"path":2021,"stem":2022},"About the OurCS Workshop","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fabout-the-ourcs-workshop","3.android-secure-coding-standard\u002F7.admin\u002F02.about-the-ourcs-workshop",{"title":2024,"path":2025,"stem":2026},"Android Applicability Summary","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fandroid-applicability-summary","3.android-secure-coding-standard\u002F7.admin\u002F03.android-applicability-summary",{"title":2028,"path":2029,"stem":2030},"Android (DRD)","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fandroid-drd","3.android-secure-coding-standard\u002F7.admin\u002F04.android-drd",{"title":2032,"path":2033,"stem":2034},"Avoid having unreachable code","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Favoid-having-unreachable-code","3.android-secure-coding-standard\u002F7.admin\u002F05.avoid-having-unreachable-code",{"title":2036,"path":2037,"stem":2038},"C Space Change History Log","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fc-space-change-history-log","3.android-secure-coding-standard\u002F7.admin\u002F06.c-space-change-history-log",{"title":2040,"path":2041,"stem":2042},"Copy of Rule Template","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fcopy-of-rule-template","3.android-secure-coding-standard\u002F7.admin\u002F07.copy-of-rule-template",{"title":2044,"path":2045,"stem":2046},"C++ Space Change History Log","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fcpp-space-change-history-log","3.android-secure-coding-standard\u002F7.admin\u002F08.cpp-space-change-history-log",{"title":2048,"path":2049,"stem":2050},"Dictionary of Labels","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fdictionary-of-labels","3.android-secure-coding-standard\u002F7.admin\u002F09.dictionary-of-labels",{"title":2052,"path":2053,"stem":2054},"How to Change Applicability When a Rules and Recommendations Change","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fhow-to-change-applicability-when-a-rules-and-recommendations-change","3.android-secure-coding-standard\u002F7.admin\u002F10.how-to-change-applicability-when-a-rules-and-recommendations-change",{"title":2056,"path":2057,"stem":2058},"Java Space Change History Log","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fjava-space-change-history-log","3.android-secure-coding-standard\u002F7.admin\u002F11.java-space-change-history-log",{"title":2060,"path":2061,"stem":2062},"Labels in this Space","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Flabels-in-this-space","3.android-secure-coding-standard\u002F7.admin\u002F12.labels-in-this-space",{"title":2064,"path":2065,"stem":2066},"Perl Space Change History Log","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fperl-space-change-history-log","3.android-secure-coding-standard\u002F7.admin\u002F13.perl-space-change-history-log",{"title":2068,"path":2069,"stem":2070},"Resources for new Android app secure coding rules and guidelines","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Fresources-for-new-android-app-secure-coding-rules-and-guidelines","3.android-secure-coding-standard\u002F7.admin\u002F14.resources-for-new-android-app-secure-coding-rules-and-guidelines",{"title":2072,"path":2073,"stem":2074},"Rule Template","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Frule-template","3.android-secure-coding-standard\u002F7.admin\u002F15.rule-template",{"title":2076,"path":2077,"stem":2078},"Rules Applicable for Both the Android Platform and Other Platforms","\u002Fandroid-secure-coding-standard\u002Fadmin\u002Frules-applicable-for-both-the-android-platform-and-other-platforms","3.android-secure-coding-standard\u002F7.admin\u002F16.rules-applicable-for-both-the-android-platform-and-other-platforms",1775657823533]