DerScanner
Home / Vulnerability Database / Android : File permission manipulation
Android

Android : File permission manipulation

Classification

OWASP Top 10 2013
A7-Missing Function Level Access Control
OWASP Mobile Top 10 2016
M1-Improper Platform UsageM6-Insecure AuthorizationM8-Code TamperingM10-Extraneous Functionality
OWASP Top 10 2017
A5-Broken Access Control
OWASP Top 10 2021
A1-Broken Access ControlA4-Insecure Design
OWASP ASVS
Access ControlAccess ControlAccess ControlAccess Control
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (a)(1)
CWE
CWE-22CWE-73CWE-200CWE-250CWE-306CWE-434CWE-522CWE-642CWE-732
CWE/SANS Top 25 2011
CWE-22CWE-250CWE-306CWE-434CWE-732
CWE/SANS Top 25 2021
CWE-22CWE-200CWE-306CWE-434CWE-522CWE-732

Overview

The application changes the file access permissions. The extra permissions (e.g., the right to execute) for an unlimited number of users can facilitate the organization of the attack.

Unix-like systems use the commands MkdirAll, OpenFile, Chmod for rights management. Here, the “file” is understood in a broad sense - file, directory, socket, symbolic link, etc. For each file there are three groups of users: the file owner (user), the group to which the file owner belongs (group) and the rest (other). Each group can have the following access rights: read, write, and execute (abbreviated as r, w, and x, respectively).

References

  1. OWASP Top 10 2017-A5-Broken Access Control
  2. CWE-732
MEDIUM

DerScanner Severity Score

Do you want to fix Android : File permission manipulation in your application?

See also

Android

Android : Debug mode on

Android

Android : Error handling: generic exception

Android

Android : HTTP usage