Kingdom: Code Quality

Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.

Android Bad Practices: Use of Released Camera Resource

Java/JSP

Abstract

The code references the Camera object after it has already been released.

Explanation

The code attempts to use the Camera object after the it has already been released. Any further references to the Camera object without reacquiring the resource will throw an exception, and can cause the application to crash if the exception is not caught.

Example: The following code uses a toggle button to toggle the camera preview on and off. After the user taps the button once, the camera preview stops and the camera resource is released. However, if she taps the button again, startPreview() is called on the previously-released Camera object.


public class ReuseCameraActivity extends Activity {
  private Camera cam;

  ...
  private class CameraButtonListener implements OnClickListener {
      public void onClick(View v) {
          if (toggle) {
              cam.stopPreview();
              cam.release();
          }
          else {
              cam.startPreview();
          }
          toggle = !toggle;
      }
  }
  ...
}

References

[1] Camera, Android Developers

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 416

[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119, [7] CWE ID 416

[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119, [8] CWE ID 416

[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [7] CWE ID 416

[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [7] CWE ID 416

[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [4] CWE ID 416

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[16] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[49] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.java.android_bad_practices_use_of_released_camera_resource