Avoid setting android:grantUriPermissions as True

Rule Definition
Content Providers are accessed using URIs of this form: content://authority_name/path/id The authority_name is specified when one declares a Content Provider in AndroidManifest.xml, and points to the Content Provider itself that will handle the reference (this is usually the full, all lowercase name of the implementing class). The path can be any number of segments, from zero on up, and is used by the Content Provider to find the data in question. In a basic implementation, the path would simply be the name of the table that the data is in. The id refers to a particular item, such as an email message stored by the Content Provider. Thus, a URI into a Content Provider used by an email client app to store messages may look like: content://com.example.testapps.test1.mailprovider/messages/inbox/155

Remediation
To specify a directory whose files can be accessed through URI permissions, use the path attribute in the element. For example, to allow URI permissions to be granted on the /attachments/ path, the relevant configuration would look like this: ... ...

Violation Code Sample

<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example.testapps.test1"> ... <provider android.name="com.example.testapps.test1.MailProvider" android.authorities="com.example.testapps.test1.mailprovider" android.readPermission="com.example.testapps.test1.permission.DB_READ" android.writePermission="com.example.testapps.test1.permission.DB_WRITE" android:grantUriPermissions="true"/> </provider> ... </manifest>

Fixed Code Sample

<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example.testapps.test1"> ... <provider android.name="com.example.testapps.test1.MailProvider" android.authorities="com.example.testapps.test1.mailprovider" android.readPermission="com.example.testapps.test1.permission.DB_READ" android.writePermission="com.example.testapps.test1.permission.DB_WRITE" android:grantUriPermissions="false"/> </provider> ... </manifest>

Reference

https://developer.android.com/topic/security/best-practices https://cwe.mitre.org/data/definitions/926.html

Related Technologies

Health Factor

Security

Technical Criterion
CWE-732 - Incorrect Permission Assignment for Critical Resource

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Select from drop-down

63.92%

Retail

36.36%

Software ISV

62.50%

Want more stats? Register now!